diff --git a/frontend/yarn-audit-known-issues b/frontend/yarn-audit-known-issues index 653aab5a4d..7973d37577 100644 --- a/frontend/yarn-audit-known-issues +++ b/frontend/yarn-audit-known-issues @@ -1,15 +1,15 @@ -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1693,"path":"react-scripts>css-loader>icss-utils>postcss","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.0.35","paths":["react-scripts>css-loader>icss-utils>postcss","react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss","react-scripts>css-loader>postcss-modules-values>icss-utils>postcss","react-scripts>css-loader>postcss","react-scripts>css-loader>postcss-modules-extract-imports>postcss","react-scripts>css-loader>postcss-modules-local-by-default>postcss","react-scripts>css-loader>postcss-modules-scope>postcss","react-scripts>css-loader>postcss-modules-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>cssnano-util-raw-cache>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-calc>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-colormin>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-convert-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-comments>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-duplicates>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-empty>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-overridden>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>stylehacks>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-font-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-gradients>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-params>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-charset>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-display-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-positions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-repeat-style>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-string>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-timing-functions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-unicode>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-url>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-whitespace>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-ordered-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-initial>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-transforms>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-unique-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>postcss","react-scripts>postcss-flexbugs-fixes>postcss","react-scripts>postcss-loader>postcss","react-scripts>postcss-normalize>postcss","react-scripts>postcss-normalize>postcss-browser-comments>postcss","react-scripts>postcss-preset-env>autoprefixer>postcss","react-scripts>postcss-preset-env>css-blank-pseudo>postcss","react-scripts>postcss-preset-env>css-has-pseudo>postcss","react-scripts>postcss-preset-env>css-prefers-color-scheme>postcss","react-scripts>postcss-preset-env>postcss","react-scripts>postcss-preset-env>postcss-attribute-case-insensitive>postcss","react-scripts>postcss-preset-env>postcss-color-functional-notation>postcss","react-scripts>postcss-preset-env>postcss-color-gray>postcss","react-scripts>postcss-preset-env>postcss-color-hex-alpha>postcss","react-scripts>postcss-preset-env>postcss-color-mod-function>postcss","react-scripts>postcss-preset-env>postcss-color-rebeccapurple>postcss","react-scripts>postcss-preset-env>postcss-custom-media>postcss","react-scripts>postcss-preset-env>postcss-custom-properties>postcss","react-scripts>postcss-preset-env>postcss-custom-selectors>postcss","react-scripts>postcss-preset-env>postcss-dir-pseudo-class>postcss","react-scripts>postcss-preset-env>postcss-double-position-gradients>postcss","react-scripts>postcss-preset-env>postcss-env-function>postcss","react-scripts>postcss-preset-env>postcss-focus-visible>postcss","react-scripts>postcss-preset-env>postcss-focus-within>postcss","react-scripts>postcss-preset-env>postcss-font-variant>postcss","react-scripts>postcss-preset-env>postcss-gap-properties>postcss","react-scripts>postcss-preset-env>postcss-image-set-function>postcss","react-scripts>postcss-preset-env>postcss-initial>postcss","react-scripts>postcss-preset-env>postcss-lab-function>postcss","react-scripts>postcss-preset-env>postcss-logical>postcss","react-scripts>postcss-preset-env>postcss-media-minmax>postcss","react-scripts>postcss-preset-env>postcss-nesting>postcss","react-scripts>postcss-preset-env>postcss-overflow-shorthand>postcss","react-scripts>postcss-preset-env>postcss-page-break>postcss","react-scripts>postcss-preset-env>postcss-place>postcss","react-scripts>postcss-preset-env>postcss-pseudo-class-any-link>postcss","react-scripts>postcss-preset-env>postcss-replace-overflow-wrap>postcss","react-scripts>postcss-preset-env>postcss-selector-matches>postcss","react-scripts>postcss-preset-env>postcss-selector-not>postcss"]},{"version":"7.0.21","paths":["react-scripts>resolve-url-loader>postcss"]}],"id":1693,"created":"2021-05-10T15:38:31.238Z","updated":"2021-05-10T15:44:02.027Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"postcss","cves":["CVE-2021-23368"],"vulnerable_versions":">=7.0.0 <8.2.10","patched_versions":">=8.2.10","overview":"`postcss` from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.","recommendation":"Upgrade to version 8.2.10 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23368)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hwj9-h5mp-3pm3)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1693"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1693,"path":"react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.0.35","paths":["react-scripts>css-loader>icss-utils>postcss","react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss","react-scripts>css-loader>postcss-modules-values>icss-utils>postcss","react-scripts>css-loader>postcss","react-scripts>css-loader>postcss-modules-extract-imports>postcss","react-scripts>css-loader>postcss-modules-local-by-default>postcss","react-scripts>css-loader>postcss-modules-scope>postcss","react-scripts>css-loader>postcss-modules-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>cssnano-util-raw-cache>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-calc>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-colormin>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-convert-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-comments>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-duplicates>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-empty>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-overridden>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>stylehacks>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-font-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-gradients>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-params>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-charset>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-display-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-positions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-repeat-style>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-string>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-timing-functions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-unicode>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-url>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-whitespace>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-ordered-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-initial>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-transforms>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-unique-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>postcss","react-scripts>postcss-flexbugs-fixes>postcss","react-scripts>postcss-loader>postcss","react-scripts>postcss-normalize>postcss","react-scripts>postcss-normalize>postcss-browser-comments>postcss","react-scripts>postcss-preset-env>autoprefixer>postcss","react-scripts>postcss-preset-env>css-blank-pseudo>postcss","react-scripts>postcss-preset-env>css-has-pseudo>postcss","react-scripts>postcss-preset-env>css-prefers-color-scheme>postcss","react-scripts>postcss-preset-env>postcss","react-scripts>postcss-preset-env>postcss-attribute-case-insensitive>postcss","react-scripts>postcss-preset-env>postcss-color-functional-notation>postcss","react-scripts>postcss-preset-env>postcss-color-gray>postcss","react-scripts>postcss-preset-env>postcss-color-hex-alpha>postcss","react-scripts>postcss-preset-env>postcss-color-mod-function>postcss","react-scripts>postcss-preset-env>postcss-color-rebeccapurple>postcss","react-scripts>postcss-preset-env>postcss-custom-media>postcss","react-scripts>postcss-preset-env>postcss-custom-properties>postcss","react-scripts>postcss-preset-env>postcss-custom-selectors>postcss","react-scripts>postcss-preset-env>postcss-dir-pseudo-class>postcss","react-scripts>postcss-preset-env>postcss-double-position-gradients>postcss","react-scripts>postcss-preset-env>postcss-env-function>postcss","react-scripts>postcss-preset-env>postcss-focus-visible>postcss","react-scripts>postcss-preset-env>postcss-focus-within>postcss","react-scripts>postcss-preset-env>postcss-font-variant>postcss","react-scripts>postcss-preset-env>postcss-gap-properties>postcss","react-scripts>postcss-preset-env>postcss-image-set-function>postcss","react-scripts>postcss-preset-env>postcss-initial>postcss","react-scripts>postcss-preset-env>postcss-lab-function>postcss","react-scripts>postcss-preset-env>postcss-logical>postcss","react-scripts>postcss-preset-env>postcss-media-minmax>postcss","react-scripts>postcss-preset-env>postcss-nesting>postcss","react-scripts>postcss-preset-env>postcss-overflow-shorthand>postcss","react-scripts>postcss-preset-env>postcss-page-break>postcss","react-scripts>postcss-preset-env>postcss-place>postcss","react-scripts>postcss-preset-env>postcss-pseudo-class-any-link>postcss","react-scripts>postcss-preset-env>postcss-replace-overflow-wrap>postcss","react-scripts>postcss-preset-env>postcss-selector-matches>postcss","react-scripts>postcss-preset-env>postcss-selector-not>postcss"]},{"version":"7.0.21","paths":["react-scripts>resolve-url-loader>postcss"]}],"id":1693,"created":"2021-05-10T15:38:31.238Z","updated":"2021-05-10T15:44:02.027Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"postcss","cves":["CVE-2021-23368"],"vulnerable_versions":">=7.0.0 <8.2.10","patched_versions":">=8.2.10","overview":"`postcss` from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.","recommendation":"Upgrade to version 8.2.10 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23368)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hwj9-h5mp-3pm3)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1693"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1693,"path":"react-scripts>css-loader>postcss-modules-values>icss-utils>postcss","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.0.35","paths":["react-scripts>css-loader>icss-utils>postcss","react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss","react-scripts>css-loader>postcss-modules-values>icss-utils>postcss","react-scripts>css-loader>postcss","react-scripts>css-loader>postcss-modules-extract-imports>postcss","react-scripts>css-loader>postcss-modules-local-by-default>postcss","react-scripts>css-loader>postcss-modules-scope>postcss","react-scripts>css-loader>postcss-modules-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>cssnano-util-raw-cache>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-calc>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-colormin>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-convert-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-comments>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-duplicates>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-empty>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-overridden>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>stylehacks>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-font-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-gradients>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-params>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-charset>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-display-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-positions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-repeat-style>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-string>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-timing-functions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-unicode>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-url>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-whitespace>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-ordered-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-initial>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-transforms>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-unique-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>postcss","react-scripts>postcss-flexbugs-fixes>postcss","react-scripts>postcss-loader>postcss","react-scripts>postcss-normalize>postcss","react-scripts>postcss-normalize>postcss-browser-comments>postcss","react-scripts>postcss-preset-env>autoprefixer>postcss","react-scripts>postcss-preset-env>css-blank-pseudo>postcss","react-scripts>postcss-preset-env>css-has-pseudo>postcss","react-scripts>postcss-preset-env>css-prefers-color-scheme>postcss","react-scripts>postcss-preset-env>postcss","react-scripts>postcss-preset-env>postcss-attribute-case-insensitive>postcss","react-scripts>postcss-preset-env>postcss-color-functional-notation>postcss","react-scripts>postcss-preset-env>postcss-color-gray>postcss","react-scripts>postcss-preset-env>postcss-color-hex-alpha>postcss","react-scripts>postcss-preset-env>postcss-color-mod-function>postcss","react-scripts>postcss-preset-env>postcss-color-rebeccapurple>postcss","react-scripts>postcss-preset-env>postcss-custom-media>postcss","react-scripts>postcss-preset-env>postcss-custom-properties>postcss","react-scripts>postcss-preset-env>postcss-custom-selectors>postcss","react-scripts>postcss-preset-env>postcss-dir-pseudo-class>postcss","react-scripts>postcss-preset-env>postcss-double-position-gradients>postcss","react-scripts>postcss-preset-env>postcss-env-function>postcss","react-scripts>postcss-preset-env>postcss-focus-visible>postcss","react-scripts>postcss-preset-env>postcss-focus-within>postcss","react-scripts>postcss-preset-env>postcss-font-variant>postcss","react-scripts>postcss-preset-env>postcss-gap-properties>postcss","react-scripts>postcss-preset-env>postcss-image-set-function>postcss","react-scripts>postcss-preset-env>postcss-initial>postcss","react-scripts>postcss-preset-env>postcss-lab-function>postcss","react-scripts>postcss-preset-env>postcss-logical>postcss","react-scripts>postcss-preset-env>postcss-media-minmax>postcss","react-scripts>postcss-preset-env>postcss-nesting>postcss","react-scripts>postcss-preset-env>postcss-overflow-shorthand>postcss","react-scripts>postcss-preset-env>postcss-page-break>postcss","react-scripts>postcss-preset-env>postcss-place>postcss","react-scripts>postcss-preset-env>postcss-pseudo-class-any-link>postcss","react-scripts>postcss-preset-env>postcss-replace-overflow-wrap>postcss","react-scripts>postcss-preset-env>postcss-selector-matches>postcss","react-scripts>postcss-preset-env>postcss-selector-not>postcss"]},{"version":"7.0.21","paths":["react-scripts>resolve-url-loader>postcss"]}],"id":1693,"created":"2021-05-10T15:38:31.238Z","updated":"2021-05-10T15:44:02.027Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"postcss","cves":["CVE-2021-23368"],"vulnerable_versions":">=7.0.0 <8.2.10","patched_versions":">=8.2.10","overview":"`postcss` from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.","recommendation":"Upgrade to version 8.2.10 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23368)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hwj9-h5mp-3pm3)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1693"}}} @@ -90,4 +90,4 @@ {"type":"auditAdvisory","data":{"resolution":{"id":1693,"path":"react-scripts>postcss-preset-env>postcss-selector-not>postcss","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.0.35","paths":["react-scripts>css-loader>icss-utils>postcss","react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss","react-scripts>css-loader>postcss-modules-values>icss-utils>postcss","react-scripts>css-loader>postcss","react-scripts>css-loader>postcss-modules-extract-imports>postcss","react-scripts>css-loader>postcss-modules-local-by-default>postcss","react-scripts>css-loader>postcss-modules-scope>postcss","react-scripts>css-loader>postcss-modules-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>cssnano-util-raw-cache>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-calc>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-colormin>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-convert-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-comments>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-duplicates>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-empty>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-overridden>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>stylehacks>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-font-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-gradients>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-params>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-charset>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-display-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-positions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-repeat-style>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-string>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-timing-functions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-unicode>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-url>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-whitespace>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-ordered-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-initial>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-transforms>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-unique-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>postcss","react-scripts>postcss-flexbugs-fixes>postcss","react-scripts>postcss-loader>postcss","react-scripts>postcss-normalize>postcss","react-scripts>postcss-normalize>postcss-browser-comments>postcss","react-scripts>postcss-preset-env>autoprefixer>postcss","react-scripts>postcss-preset-env>css-blank-pseudo>postcss","react-scripts>postcss-preset-env>css-has-pseudo>postcss","react-scripts>postcss-preset-env>css-prefers-color-scheme>postcss","react-scripts>postcss-preset-env>postcss","react-scripts>postcss-preset-env>postcss-attribute-case-insensitive>postcss","react-scripts>postcss-preset-env>postcss-color-functional-notation>postcss","react-scripts>postcss-preset-env>postcss-color-gray>postcss","react-scripts>postcss-preset-env>postcss-color-hex-alpha>postcss","react-scripts>postcss-preset-env>postcss-color-mod-function>postcss","react-scripts>postcss-preset-env>postcss-color-rebeccapurple>postcss","react-scripts>postcss-preset-env>postcss-custom-media>postcss","react-scripts>postcss-preset-env>postcss-custom-properties>postcss","react-scripts>postcss-preset-env>postcss-custom-selectors>postcss","react-scripts>postcss-preset-env>postcss-dir-pseudo-class>postcss","react-scripts>postcss-preset-env>postcss-double-position-gradients>postcss","react-scripts>postcss-preset-env>postcss-env-function>postcss","react-scripts>postcss-preset-env>postcss-focus-visible>postcss","react-scripts>postcss-preset-env>postcss-focus-within>postcss","react-scripts>postcss-preset-env>postcss-font-variant>postcss","react-scripts>postcss-preset-env>postcss-gap-properties>postcss","react-scripts>postcss-preset-env>postcss-image-set-function>postcss","react-scripts>postcss-preset-env>postcss-initial>postcss","react-scripts>postcss-preset-env>postcss-lab-function>postcss","react-scripts>postcss-preset-env>postcss-logical>postcss","react-scripts>postcss-preset-env>postcss-media-minmax>postcss","react-scripts>postcss-preset-env>postcss-nesting>postcss","react-scripts>postcss-preset-env>postcss-overflow-shorthand>postcss","react-scripts>postcss-preset-env>postcss-page-break>postcss","react-scripts>postcss-preset-env>postcss-place>postcss","react-scripts>postcss-preset-env>postcss-pseudo-class-any-link>postcss","react-scripts>postcss-preset-env>postcss-replace-overflow-wrap>postcss","react-scripts>postcss-preset-env>postcss-selector-matches>postcss","react-scripts>postcss-preset-env>postcss-selector-not>postcss"]},{"version":"7.0.21","paths":["react-scripts>resolve-url-loader>postcss"]}],"id":1693,"created":"2021-05-10T15:38:31.238Z","updated":"2021-05-10T15:44:02.027Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"postcss","cves":["CVE-2021-23368"],"vulnerable_versions":">=7.0.0 <8.2.10","patched_versions":">=8.2.10","overview":"`postcss` from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.","recommendation":"Upgrade to version 8.2.10 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23368)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hwj9-h5mp-3pm3)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1693"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1693,"path":"react-scripts>resolve-url-loader>postcss","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.0.35","paths":["react-scripts>css-loader>icss-utils>postcss","react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss","react-scripts>css-loader>postcss-modules-values>icss-utils>postcss","react-scripts>css-loader>postcss","react-scripts>css-loader>postcss-modules-extract-imports>postcss","react-scripts>css-loader>postcss-modules-local-by-default>postcss","react-scripts>css-loader>postcss-modules-scope>postcss","react-scripts>css-loader>postcss-modules-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>cssnano-util-raw-cache>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-calc>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-colormin>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-convert-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-comments>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-duplicates>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-empty>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-discard-overridden>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-longhand>stylehacks>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-font-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-gradients>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-params>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-minify-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-charset>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-display-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-positions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-repeat-style>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-string>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-timing-functions>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-unicode>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-url>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-normalize-whitespace>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-ordered-values>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-initial>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-reduce-transforms>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>cssnano-preset-default>postcss-unique-selectors>postcss","react-scripts>optimize-css-assets-webpack-plugin>cssnano>postcss","react-scripts>postcss-flexbugs-fixes>postcss","react-scripts>postcss-loader>postcss","react-scripts>postcss-normalize>postcss","react-scripts>postcss-normalize>postcss-browser-comments>postcss","react-scripts>postcss-preset-env>autoprefixer>postcss","react-scripts>postcss-preset-env>css-blank-pseudo>postcss","react-scripts>postcss-preset-env>css-has-pseudo>postcss","react-scripts>postcss-preset-env>css-prefers-color-scheme>postcss","react-scripts>postcss-preset-env>postcss","react-scripts>postcss-preset-env>postcss-attribute-case-insensitive>postcss","react-scripts>postcss-preset-env>postcss-color-functional-notation>postcss","react-scripts>postcss-preset-env>postcss-color-gray>postcss","react-scripts>postcss-preset-env>postcss-color-hex-alpha>postcss","react-scripts>postcss-preset-env>postcss-color-mod-function>postcss","react-scripts>postcss-preset-env>postcss-color-rebeccapurple>postcss","react-scripts>postcss-preset-env>postcss-custom-media>postcss","react-scripts>postcss-preset-env>postcss-custom-properties>postcss","react-scripts>postcss-preset-env>postcss-custom-selectors>postcss","react-scripts>postcss-preset-env>postcss-dir-pseudo-class>postcss","react-scripts>postcss-preset-env>postcss-double-position-gradients>postcss","react-scripts>postcss-preset-env>postcss-env-function>postcss","react-scripts>postcss-preset-env>postcss-focus-visible>postcss","react-scripts>postcss-preset-env>postcss-focus-within>postcss","react-scripts>postcss-preset-env>postcss-font-variant>postcss","react-scripts>postcss-preset-env>postcss-gap-properties>postcss","react-scripts>postcss-preset-env>postcss-image-set-function>postcss","react-scripts>postcss-preset-env>postcss-initial>postcss","react-scripts>postcss-preset-env>postcss-lab-function>postcss","react-scripts>postcss-preset-env>postcss-logical>postcss","react-scripts>postcss-preset-env>postcss-media-minmax>postcss","react-scripts>postcss-preset-env>postcss-nesting>postcss","react-scripts>postcss-preset-env>postcss-overflow-shorthand>postcss","react-scripts>postcss-preset-env>postcss-page-break>postcss","react-scripts>postcss-preset-env>postcss-place>postcss","react-scripts>postcss-preset-env>postcss-pseudo-class-any-link>postcss","react-scripts>postcss-preset-env>postcss-replace-overflow-wrap>postcss","react-scripts>postcss-preset-env>postcss-selector-matches>postcss","react-scripts>postcss-preset-env>postcss-selector-not>postcss"]},{"version":"7.0.21","paths":["react-scripts>resolve-url-loader>postcss"]}],"id":1693,"created":"2021-05-10T15:38:31.238Z","updated":"2021-05-10T15:44:02.027Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"postcss","cves":["CVE-2021-23368"],"vulnerable_versions":">=7.0.0 <8.2.10","patched_versions":">=8.2.10","overview":"`postcss` from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.","recommendation":"Upgrade to version 8.2.10 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23368)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hwj9-h5mp-3pm3)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1693"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1747,"path":"react-scripts>react-dev-utils>browserslist","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.14.2","paths":["react-scripts>react-dev-utils>browserslist"]}],"id":1747,"created":"2021-05-24T19:56:39.062Z","updated":"2021-05-24T19:59:05.419Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"browserslist","cves":["CVE-2021-23364"],"vulnerable_versions":">=4.0.0 <4.16.5","patched_versions":">=4.16.5","overview":"The package `browserslist` from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.","recommendation":"Upgrade to version 4.16.5 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23364)\n- [GitHub Advisory](https://github.com/advisories/GHSA-w8qv-6jwh-64r5)\n","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1747"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>webpack-dev-server>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"react-scripts>webpack-dev-server>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest-circus>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","react-scripts>jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws"]},{"version":"6.2.1","paths":["react-scripts>webpack-dev-server>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} diff --git a/src/app.js b/src/app.js index f789c86564..37e5d3ed38 100644 --- a/src/app.js +++ b/src/app.js @@ -59,7 +59,7 @@ app.get(oauth2CallbackPath, async (req, res) => { const { url } = requestObj; const { data } = await axios.get(url, requestObj); - logger.info(`User details response data: ${JSON.stringify(data, null, 2)}`); + auditLogger.info(`User details response data: ${JSON.stringify(data, null, 2)}`); const { name, principal: { diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index dba0f9a282..4bc5975f12 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1,17 +1,17 @@ -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"@axe-core/cli>selenium-webdriver>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"selenium-webdriver>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"puppeteer>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-01T16:55:09.017Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <7.4.6","patched_versions":">=7.4.6","overview":"In `ws` before version 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"@axe-core/cli>selenium-webdriver>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"selenium-webdriver>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1748,"path":"puppeteer>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.4.5","paths":["@axe-core/cli>selenium-webdriver>ws","selenium-webdriver>ws","jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>@jest/core>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws","jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","jest-cli>jest-config>jest-environment-jsdom>jsdom>ws","puppeteer>ws"]}],"id":1748,"created":"2021-05-28T19:31:06.490Z","updated":"2021-06-04T19:38:37.285Z","deleted":null,"title":"Regular Expression Denial of Service","found_by":{"link":"","name":"Anonymous","email":""},"reported_by":{"link":"","name":"Anonymous","email":""},"module_name":"ws","cves":["CVE-2021-32640"],"vulnerable_versions":">=5.0.0 <6.2.2 || >=7.0.0 <7.4.6","patched_versions":">=6.2.2 <7.0.0 || >=7.4.6","overview":"In `ws` before versions 6.2.2 and 7.4.6 there is a ReDOS vulnerability.\n\n### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n","recommendation":"Upgrade to version 6.2.2 or 7.4.6 or later","references":"- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32640)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6fc8-4gx4-v693)","access":"public","severity":"moderate","cwe":"CWE-400","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/1748"}}}