gatsby-4.25.7.tgz: 34 vulnerabilities (highest severity is: 8.7)

[ibm-mend-app]

Vulnerable Library - gatsby-4.25.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (gatsby version)	Remediation Possible**
CVE-2025-7783	High	8.7	form-data-3.0.1.tgz	Transitive	4.25.8	✅
WS-2023-0439	High	7.5	axios-0.21.4.tgz	Transitive	N/A*	❌
CVE-2025-7338	High	7.5	multer-1.4.5-lts.1.tgz	Transitive	N/A*	❌
CVE-2025-58754	High	7.5	axios-0.21.4.tgz	Transitive	5.14.0-canary.7	✅
CVE-2025-48997	High	7.5	multer-1.4.5-lts.1.tgz	Transitive	5.14.4	✅
CVE-2025-47944	High	7.5	multer-1.4.5-lts.1.tgz	Transitive	5.14.4	✅
CVE-2025-47935	High	7.5	multer-1.4.5-lts.1.tgz	Transitive	5.14.4	✅
CVE-2025-27611	High	7.5	base-x-3.0.9.tgz	Transitive	N/A*	❌
CVE-2025-27152	High	7.5	axios-0.21.4.tgz	Transitive	5.14.0-canary.7	✅
CVE-2024-52798	High	7.5	path-to-regexp-0.1.7.tgz	Transitive	4.25.8	✅
CVE-2024-45590	High	7.5	body-parser-1.20.2.tgz	Transitive	4.25.8	✅
CVE-2024-45296	High	7.5	path-to-regexp-0.1.7.tgz	Transitive	4.25.8	✅
CVE-2024-37890	High	7.5	ws-8.2.3.tgz	Transitive	5.0.0	✅
CVE-2024-21538	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-29180	High	7.4	webpack-dev-middleware-4.3.0.tgz	Transitive	5.14.0	✅
CVE-2024-38355	High	7.3	socket.io-4.5.4.tgz	Transitive	5.12.0	✅
CVE-2025-56648	Medium	6.5	reporter-dev-server-2.6.2.tgz	Transitive	N/A*	❌
CVE-2023-45857	Medium	6.5	axios-0.21.4.tgz	Transitive	5.14.0-canary.7	✅
CVE-2023-31125	Medium	6.5	engine.io-6.2.1.tgz	Transitive	5.0.0	✅
CVE-2024-43788	Medium	6.4	webpack-5.88.1.tgz	Transitive	4.25.8	✅
CVE-2025-27789	Medium	6.2	detected in multiple dependencies	Transitive	4.25.8	✅
CVE-2024-11831	Medium	5.4	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-47764	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	micromatch-4.0.5.tgz	Transitive	4.25.8	✅
CVE-2023-44270	Medium	5.3	postcss-8.4.25.tgz	Transitive	4.25.8	✅
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A*	❌
CVE-2022-25883	Medium	5.3	semver-7.0.0.tgz	Transitive	5.0.0	✅
CVE-2024-43800	Medium	5.0	serve-static-1.15.0.tgz	Transitive	4.25.8	✅
CVE-2024-43799	Medium	5.0	send-0.18.0.tgz	Transitive	4.25.8	✅
CVE-2024-43796	Medium	5.0	express-4.19.2.tgz	Transitive	4.25.8	✅
CVE-2024-55565	Medium	4.3	nanoid-3.3.6.tgz	Transitive	4.25.8	✅
CVE-2025-7339	Low	3.4	on-headers-1.0.2.tgz	Transitive	4.25.8	✅
CVE-2025-5889	Low	3.1	brace-expansion-1.1.11.tgz	Transitive	4.25.8	✅
CVE-2025-54798	Low	2.5	detected in multiple dependencies	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2025-7783

Vulnerable Library - form-data-3.0.1.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • gatsby-telemetry-3.25.0.tgz
    • fetch-7.2.0.tgz
      • node-fetch-2.6.4.tgz
        • ❌ form-data-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: form-data/form-data@3d17230

Release Date: 2025-07-18

Fix Resolution (form-data): 3.0.4

Direct dependency fix Resolution (gatsby): 4.25.8

⛑️ Automatic Remediation will be attempted for this issue.

WS-2023-0439

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.

Publish Date: 2023-10-25

URL: WS-2023-0439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-7338

Vulnerable Library - multer-1.4.5-lts.1.tgz

Middleware for handling `multipart/form-data`.

Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Multer is a node.js middleware for handling "multipart/form-data". A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.

Publish Date: 2025-07-17

URL: CVE-2025-7338

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjgf-rc76-4x9p

Release Date: 2025-07-17

Fix Resolution: multer - 2.0.2

CVE-2025-58754

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the "data:" scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory ("Buffer"/"Blob") and returns a synthetic 200 response. This path ignores "maxContentLength" / "maxBodyLength" (which only protect HTTP responses), so an attacker can supply a very large "data:" URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested "responseType: 'stream'". Version 1.11.0 contains a patch for the issue.

Publish Date: 2025-09-12

URL: CVE-2025-58754

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4hjh-wcwx-xvwj

Release Date: 2025-09-12

Fix Resolution (axios): 1.12.0

Direct dependency fix Resolution (gatsby): 5.14.0-canary.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-48997

Vulnerable Library - multer-1.4.5-lts.1.tgz

Middleware for handling `multipart/form-data`.

Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Multer is a node.js middleware for handling "multipart/form-data". A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to "2.0.1" to receive a patch. No known workarounds are available.

Publish Date: 2025-06-03

URL: CVE-2025-48997

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g5hg-p3ph-g8qg

Release Date: 2025-06-03

Fix Resolution (multer): 2.0.1

Direct dependency fix Resolution (gatsby): 5.14.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-47944

Vulnerable Library - multer-1.4.5-lts.1.tgz

Middleware for handling `multipart/form-data`.

Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Multer is a node.js middleware for handling "multipart/form-data". A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.

Publish Date: 2025-05-19

URL: CVE-2025-47944

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4pg4-qvpc-4q3h

Release Date: 2025-05-19

Fix Resolution (multer): 2.0.0

Direct dependency fix Resolution (gatsby): 5.14.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-47935

Vulnerable Library - multer-1.4.5-lts.1.tgz

Middleware for handling `multipart/form-data`.

Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Multer is a node.js middleware for handling "multipart/form-data". Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal "busboy" stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.

Publish Date: 2025-05-19

URL: CVE-2025-47935

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-44fp-w29j-9vj5

Release Date: 2025-05-19

Fix Resolution (multer): 2.0.0

Direct dependency fix Resolution (gatsby): 5.14.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-27611

Vulnerable Library - base-x-3.0.9.tgz

Fast base encoding / decoding of any given alphabet

Library home page: https://registry.npmjs.org/base-x/-/base-x-3.0.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • core-2.6.2.tgz
    • ❌ base-x-3.0.9.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1.

Publish Date: 2025-04-30

URL: CVE-2025-27611

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xq7p-g2vc-g82p

Release Date: 2025-04-30

Fix Resolution: https://github.com/cryptocoinjs/base-x.git - v3.0.11

CVE-2025-27152

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Publish Date: 2025-03-07

URL: CVE-2025-27152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-27152

Release Date: 2025-03-07

Fix Resolution (axios): 0.30.0

Direct dependency fix Resolution (gatsby): 5.14.0-canary.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-52798

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • express-4.19.2.tgz
    • ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

Publish Date: 2024-12-05

URL: CVE-2024-52798

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rhx6-c78j-4q9w

Release Date: 2024-12-05

Fix Resolution (path-to-regexp): 0.1.12

Direct dependency fix Resolution (gatsby): 4.25.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-45590

Vulnerable Library - body-parser-1.20.2.tgz

Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • express-4.19.2.tgz
    • ❌ body-parser-1.20.2.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Publish Date: 2024-09-10

URL: CVE-2024-45590

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qwcr-r2fm-qrc7

Release Date: 2024-09-10

Fix Resolution (body-parser): 1.20.3

Direct dependency fix Resolution (gatsby): 4.25.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-45296

Vulnerable Library - path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • express-4.19.2.tgz
    • ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: 2024-09-09

URL: CVE-2024-45296

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wv6-86v2-598j

Release Date: 2024-09-09

Fix Resolution (path-to-regexp): 0.1.10

Direct dependency fix Resolution (gatsby): 4.25.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-37890

Vulnerable Library - ws-8.2.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-8.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • socket.io-client-4.5.4.tgz
    • engine.io-client-6.2.3.tgz
      • ❌ ws-8.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution (ws): 8.17.1

Direct dependency fix Resolution (gatsby): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-21538

Vulnerable Libraries - cross-spawn-6.0.5.tgz, cross-spawn-7.0.3.tgz

cross-spawn-6.0.5.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • devcert-1.2.2.tgz
    • password-prompt-1.1.2.tgz
      • ❌ cross-spawn-6.0.5.tgz (Vulnerable Library)

cross-spawn-7.0.3.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • react-dev-utils-12.0.1.tgz
    • ❌ cross-spawn-7.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: 2024-11-08

URL: CVE-2024-21538

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Release Date: 2024-11-08

Fix Resolution: https://github.com/moxystudio/node-cross-spawn.git - v7.0.5

CVE-2024-29180

Vulnerable Library - webpack-dev-middleware-4.3.0.tgz

A development middleware for webpack

Library home page: https://registry.npmjs.org/webpack-dev-middleware/-/webpack-dev-middleware-4.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ webpack-dev-middleware-4.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory "memfs" filesystem. If "writeToDisk" configuration option is set to "true", the physical filesystem is used. The "getFilenameFromUrl" method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the "unsecaped" path suffix is appended to the "outputPath". As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use "%2e" and "%2f" sequences to perform path traversal attack.
Developers using "webpack-dev-server" or "webpack-dev-middleware" are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content. If the development server is listening on a public IP address (or "0.0.0.0"), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.

Publish Date: 2024-03-21

URL: CVE-2024-29180

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wr3j-pwj9-hqq6

Release Date: 2024-03-21

Fix Resolution (webpack-dev-middleware): 5.3.4

Direct dependency fix Resolution (gatsby): 5.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38355

Vulnerable Library - socket.io-4.5.4.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-4.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ socket.io-4.5.4.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit 15af22fc22 which has been included in socket.io@4.6.2 (released in May 2023). The fix was backported in the 2.x branch as well with commit d30630ba10. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-06-19

URL: CVE-2024-38355

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-25hc-qcg6-38wj

Release Date: 2024-06-19

Fix Resolution (socket.io): 4.6.2

Direct dependency fix Resolution (gatsby): 5.12.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-56648

Vulnerable Library - reporter-dev-server-2.6.2.tgz

Blazing fast, zero configuration web application bundler

Library home page: https://registry.npmjs.org/@parcel/reporter-dev-server/-/reporter-dev-server-2.6.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • gatsby-parcel-config-0.16.0.tgz
    • ❌ reporter-dev-server-2.6.2.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

Publish Date: 2025-09-17

URL: CVE-2025-56648

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2023-45857

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wf5p-g6vw-rhxx

Release Date: 2023-11-08

Fix Resolution (axios): 0.28.0

Direct dependency fix Resolution (gatsby): 5.14.0-canary.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-31125

Vulnerable Library - engine.io-6.2.1.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-6.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • socket.io-4.5.4.tgz
    • ❌ engine.io-6.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the "socket.io" parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the "engine.io" package, including those who use depending packages like "socket.io". This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

Publish Date: 2023-05-08

URL: CVE-2023-31125

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-31125

Release Date: 2023-05-08

Fix Resolution (engine.io): 6.4.2

Direct dependency fix Resolution (gatsby): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-43788

Vulnerable Library - webpack-5.88.1.tgz

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.88.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ webpack-5.88.1.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2024-08-27

URL: CVE-2024-43788

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4vvj-4cpr-p986

Release Date: 2024-08-27

Fix Resolution (webpack): 5.94.0

Direct dependency fix Resolution (gatsby): 4.25.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-27789

Vulnerable Libraries - helpers-7.24.1.tgz, runtime-7.23.2.tgz

helpers-7.24.1.tgz

Library home page: https://registry.npmjs.org/@babel/helpers/-/helpers-7.24.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • core-7.24.3.tgz
    • ❌ helpers-7.24.1.tgz (Vulnerable Library)

runtime-7.23.2.tgz

Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.23.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• gatsby-4.25.7.tgz (Root Library)
  • ❌ runtime-7.23.2.tgz (Vulnerable Library)

Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b

Found in base branch: master

Vulnerability Details

Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.

Publish Date: 2025-03-11

URL: CVE-2025-27789

CVSS 3 Score Details (6.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-968p-4wvh-cqc8

Release Date: 2025-03-11

Fix Resolution (@babel/helpers): 7.26.10

Direct dependency fix Resolution (gatsby): 4.25.8

Fix Resolution (@babel/runtime): 7.26.10

Direct dependency fix Resolution (gatsby): 4.25.8

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.