Vulnerable Library - @cyclone-ui/storybook-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (@cyclone-ui/storybook version) |
Remediation Possible** |
| CVE-2025-61686 |
 Critical |
9.1 |
node-2.15.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-8657 |
 High |
8.2 |
jsondiffpatch-0.5.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-22029 |
High |
8.0 |
router-1.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-2229 |
High |
7.5 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-1528 |
High |
7.5 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-1526 |
High |
7.5 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-22150 |
 Medium |
6.8 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-22030 |
Medium |
6.5 |
server-runtime-2.15.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-1525 |
Medium |
6.5 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-9910 |
Medium |
6.1 |
jsondiffpatch-0.5.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-22036 |
Medium |
5.9 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-8656 |
Medium |
4.7 |
jsondiffpatch-0.5.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-1527 |
Medium |
4.6 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-47279 |
 Low |
3.1 |
undici-6.21.0.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-61686
Vulnerable Library - node-2.15.0.tgz
Node.js platform abstractions for Remix
Library home page: https://registry.npmjs.org/@remix-run/node/-/node-2.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- ❌ node-2.15.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
Publish Date: 2026-01-10
URL: CVE-2025-61686
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9583-h5hc-x8cw
Release Date: 2026-01-08
Fix Resolution: https://github.com/remix-run/react-router.git - react-router@7.9.4,@react-router/node - 7.9.4,react-router - no_fix,@remix-run/node - 2.17.2,@remix-run/deno - 2.17.2
Step up your Open Source Security Game with Mend here
CVE-2026-8657
Vulnerable Library - jsondiffpatch-0.5.0.tgz
Library home page: https://registry.npmjs.org/jsondiffpatch/-/jsondiffpatch-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- jotai-devtools-0.10.1.tgz
- ❌ jsondiffpatch-0.5.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like proto or constructor.prototype, allowing modification of Object.prototype.
Publish Date: 2026-05-16
URL: CVE-2026-8657
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: jsondiffpatch - 0.7.6,jsondiffpatch - 0.7.6
Step up your Open Source Security Game with Mend here
CVE-2026-22029
Vulnerable Library - router-1.21.0.tgz
Nested/Data-driven/Framework-agnostic Routing
Library home page: https://registry.npmjs.org/@remix-run/router/-/router-1.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- server-runtime-2.15.0.tgz
- ❌ router-1.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22029
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2w69-qvjg-hvjx
Release Date: 2026-01-08
Fix Resolution: https://github.com/remix-run/react-router.git - react-router@7.12.0,@remix-run/router - 1.23.2,https://github.com/remix-run/react-router.git - @remix-run/router@1.23.2,react-router - 7.12.0
Step up your Open Source Security Game with Mend here
CVE-2026-2229
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
- The createInflateRaw() call is not wrapped in a try-catch block
- The resulting exception propagates up through the call stack and crashes the Node.js process
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-1528
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Publish Date: 2026-03-12
URL: CVE-2026-1528
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f269-vfmq-vjvj
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2026-1526
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
CVE-2025-22150
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-01-21
URL: CVE-2025-22150
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c76h-2ccp-4975
Release Date: 2025-01-21
Fix Resolution: undici - 5.28.5,6.21.1,7.2.3,undici - 5.28.5,undici - 6.21.1,undici - 7.2.3
Step up your Open Source Security Game with Mend here
CVE-2026-22030
Vulnerable Library - server-runtime-2.15.0.tgz
Server runtime for Remix
Library home page: https://registry.npmjs.org/@remix-run/server-runtime/-/server-runtime-2.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ server-runtime-2.15.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22030
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h5cw-625j-3rxh
Release Date: 2026-01-09
Fix Resolution: @remix-run/server-runtime - 2.17.3,react-router - 7.12.0
Step up your Open Source Security Game with Mend here
CVE-2026-1525
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
- Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without case-normalization
Potential consequences:
- Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
- HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
CVE-2025-9910
Vulnerable Library - jsondiffpatch-0.5.0.tgz
Library home page: https://registry.npmjs.org/jsondiffpatch/-/jsondiffpatch-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- jotai-devtools-0.10.1.tgz
- ❌ jsondiffpatch-0.5.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.
Publish Date: 2025-09-11
URL: CVE-2025-9910
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-11
Fix Resolution: jsondiffpatch - 0.7.2,jsondiffpatch - 0.7.2
Step up your Open Source Security Game with Mend here
CVE-2026-22036
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution: undici - 7.18.2,undici - 6.23.0,https://github.com/nodejs/undici.git - v6.23.0,https://github.com/nodejs/undici.git - v7.18.2
Step up your Open Source Security Game with Mend here
CVE-2026-8656
Vulnerable Library - jsondiffpatch-0.5.0.tgz
Library home page: https://registry.npmjs.org/jsondiffpatch/-/jsondiffpatch-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- jotai-devtools-0.10.1.tgz
- ❌ jsondiffpatch-0.5.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.
Publish Date: 2026-05-16
URL: CVE-2026-8656
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: jsondiffpatch - 0.7.6,jsondiffpatch - 0.7.6
Step up your Open Source Security Game with Mend here
CVE-2026-1527
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
- Inject arbitrary HTTP headers
- Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += "connection: upgrade\r\nupgrade: ${upgrade}\r\n"
}
Publish Date: 2026-03-12
URL: CVE-2026-1527
CVSS 3 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4992-7rv2-5pvq
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
CVE-2025-47279
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/storybook-0.3.0.tgz (Root Library)
- expo-router-3.5.24.tgz
- server-0.4.4.tgz
- node-2.15.0.tgz
- ❌ undici-6.21.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Publish Date: 2025-05-15
URL: CVE-2025-47279
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxrh-j4jr-qwg3
Release Date: 2025-05-15
Fix Resolution: undici - 5.29.0,https://github.com/nodejs/undici.git - v7.5.0,https://github.com/nodejs/undici.git - v6.21.2,undici - 7.5.0,undici - 6.21.2,https://github.com/nodejs/undici.git - v5.29.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - node-2.15.0.tgz
Node.js platform abstractions for Remix
Library home page: https://registry.npmjs.org/@remix-run/node/-/node-2.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
Publish Date: 2026-01-10
URL: CVE-2025-61686
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9583-h5hc-x8cw
Release Date: 2026-01-08
Fix Resolution: https://github.com/remix-run/react-router.git - react-router@7.9.4,@react-router/node - 7.9.4,react-router - no_fix,@remix-run/node - 2.17.2,@remix-run/deno - 2.17.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsondiffpatch-0.5.0.tgz
Library home page: https://registry.npmjs.org/jsondiffpatch/-/jsondiffpatch-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like proto or constructor.prototype, allowing modification of Object.prototype.
Publish Date: 2026-05-16
URL: CVE-2026-8657
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: jsondiffpatch - 0.7.6,jsondiffpatch - 0.7.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - router-1.21.0.tgz
Nested/Data-driven/Framework-agnostic Routing
Library home page: https://registry.npmjs.org/@remix-run/router/-/router-1.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22029
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2w69-qvjg-hvjx
Release Date: 2026-01-08
Fix Resolution: https://github.com/remix-run/react-router.git - react-router@7.12.0,@remix-run/router - 1.23.2,https://github.com/remix-run/react-router.git - @remix-run/router@1.23.2,react-router - 7.12.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
Publish Date: 2026-03-12
URL: CVE-2026-2229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v9p9-hfj2-hcw8
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Publish Date: 2026-03-12
URL: CVE-2026-1528
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f269-vfmq-vjvj
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Publish Date: 2026-03-12
URL: CVE-2026-1526
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vrm6-8vpv-qv8q
Release Date: 2026-03-12
Fix Resolution: undici - 7.24.0,undici - 6.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses "Math.random()" to choose the boundary for a multipart/form-data request. It is known that the output of "Math.random()" can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-01-21
URL: CVE-2025-22150
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c76h-2ccp-4975
Release Date: 2025-01-21
Fix Resolution: undici - 5.28.5,6.21.1,7.2.3,undici - 5.28.5,undici - 6.21.1,undici - 7.2.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - server-runtime-2.15.0.tgz
Server runtime for Remix
Library home page: https://registry.npmjs.org/@remix-run/server-runtime/-/server-runtime-2.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22030
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h5cw-625j-3rxh
Release Date: 2026-01-09
Fix Resolution: @remix-run/server-runtime - 2.17.3,react-router - 7.12.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
Potential consequences:
Publish Date: 2026-03-12
URL: CVE-2026-1525
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2mjp-6q6p-2qxm
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsondiffpatch-0.5.0.tgz
Library home page: https://registry.npmjs.org/jsondiffpatch/-/jsondiffpatch-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.
Publish Date: 2025-09-11
URL: CVE-2025-9910
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-09-11
Fix Resolution: jsondiffpatch - 0.7.2,jsondiffpatch - 0.7.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Publish Date: 2026-01-14
URL: CVE-2026-22036
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9
Release Date: 2026-01-14
Fix Resolution: undici - 7.18.2,undici - 6.23.0,https://github.com/nodejs/undici.git - v6.23.0,https://github.com/nodejs/undici.git - v7.18.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsondiffpatch-0.5.0.tgz
Library home page: https://registry.npmjs.org/jsondiffpatch/-/jsondiffpatch-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.
Publish Date: 2026-05-16
URL: CVE-2026-8656
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-16
Fix Resolution: jsondiffpatch - 0.7.6,jsondiffpatch - 0.7.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += "connection: upgrade\r\nupgrade: ${upgrade}\r\n"
}
Publish Date: 2026-03-12
URL: CVE-2026-1527
CVSS 3 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4992-7rv2-5pvq
Release Date: 2026-03-12
Fix Resolution: undici - 6.24.0,undici - 7.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - undici-6.21.0.tgz
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-6.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.
Publish Date: 2025-05-15
URL: CVE-2025-47279
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cxrh-j4jr-qwg3
Release Date: 2025-05-15
Fix Resolution: undici - 5.29.0,https://github.com/nodejs/undici.git - v7.5.0,https://github.com/nodejs/undici.git - v6.21.2,undici - 7.5.0,undici - 6.21.2,https://github.com/nodejs/undici.git - v5.29.0
Step up your Open Source Security Game with Mend here