Vulnerable Library - @cyclone-ui/cli-0.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (@cyclone-ui/cli version) |
Remediation Possible** |
| CVE-2026-27699 |
 Critical |
9.1 |
basic-ftp-5.0.5.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-39983 |
 High |
8.6 |
basic-ftp-5.0.5.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-44240 |
High |
7.5 |
basic-ftp-5.0.5.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-41324 |
High |
7.5 |
basic-ftp-5.0.5.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-8262 |
High |
7.5 |
yarn-1.22.22.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-59343 |
High |
7.5 |
tar-fs-2.1.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-48387 |
High |
7.5 |
tar-fs-2.1.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2024-12905 |
High |
7.5 |
tar-fs-2.1.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-0775 |
High |
7.0 |
npm-10.9.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-42338 |
 Medium |
5.4 |
ip-address-9.0.5.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-9308 |
 Low |
3.3 |
yarn-1.22.22.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-27699
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- proxy-agent-6.4.0.tgz
- pac-proxy-agent-7.0.2.tgz
- get-uri-6.0.3.tgz
- ❌ basic-ftp-5.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
The "basic-ftp" FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the "downloadToDir()" method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ("../") that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27699
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.0
Step up your Open Source Security Game with Mend here
CVE-2026-39983
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- proxy-agent-6.4.0.tgz
- pac-proxy-agent-7.0.2.tgz
- get-uri-6.0.3.tgz
- ❌ basic-ftp-5.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Publish Date: 2026-04-09
URL: CVE-2026-39983
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.1
Step up your Open Source Security Game with Mend here
CVE-2026-44240
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- proxy-agent-6.4.0.tgz
- pac-proxy-agent-7.0.2.tgz
- get-uri-6.0.3.tgz
- ❌ basic-ftp-5.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.
Publish Date: 2026-05-12
URL: CVE-2026-44240
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rpmf-866q-6p89
Release Date: 2026-05-06
Fix Resolution: basic-ftp - 5.3.1
Step up your Open Source Security Game with Mend here
CVE-2026-41324
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- proxy-agent-6.4.0.tgz
- pac-proxy-agent-7.0.2.tgz
- get-uri-6.0.3.tgz
- ❌ basic-ftp-5.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to "Client.list()", causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41324
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rp42-5vxx-qpwr
Release Date: 2026-04-24
Fix Resolution: basic-ftp - 5.3.0
Step up your Open Source Security Game with Mend here
CVE-2025-8262
Vulnerable Library - yarn-1.22.22.tgz
Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-plugins-5.4.19.tgz
- ❌ yarn-1.22.22.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
Publish Date: 2025-07-28
URL: CVE-2025-8262
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2025-59343
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- ❌ tar-fs-2.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: 2025-09-24
URL: CVE-2025-59343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vj76-c3g6-qr5v
Release Date: 2025-09-24
Fix Resolution: tar-fs - 3.1.1,tar-fs - 2.1.4,tar-fs - 1.16.6
Step up your Open Source Security Game with Mend here
CVE-2025-48387
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- ❌ tar-fs-2.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Publish Date: 2025-06-02
URL: CVE-2025-48387
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8cj5-5rvv-wf4v
Release Date: 2025-06-02
Fix Resolution: tar-fs - 1.16.5,https://github.com/mafintosh/tar-fs.git - v3.0.9,https://github.com/mafintosh/tar-fs.git - v1.16.5,tar-fs - 3.0.9,tar-fs - 2.1.3,https://github.com/mafintosh/tar-fs.git - v2.1.3
Step up your Open Source Security Game with Mend here
CVE-2024-12905
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- ❌ tar-fs-2.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Publish Date: 2025-03-27
URL: CVE-2024-12905
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-27
Fix Resolution: https://github.com/mafintosh/tar-fs.git - v2.1.2,tar-fs - 3.0.8,tar-fs - 1.16.4,https://github.com/mafintosh/tar-fs.git - v1.16.4,tar-fs - 2.1.2,https://github.com/mafintosh/tar-fs.git - v3.0.8
Step up your Open Source Security Game with Mend here
CVE-2026-0775
Vulnerable Library - npm-10.9.1.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-10.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-plugins-5.4.19.tgz
- ❌ npm-10.9.1.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.
Publish Date: 2026-01-23
URL: CVE-2026-0775
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2026-42338
Vulnerable Library - ip-address-9.0.5.tgz
Library home page: https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-update-4.6.14.tgz
- proxy-agent-6.4.0.tgz
- socks-proxy-agent-8.0.4.tgz
- socks-2.8.3.tgz
- ❌ ip-address-9.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.
Publish Date: 2026-05-12
URL: CVE-2026-42338
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v2v4-37r5-5v8g
Release Date: 2026-05-06
Fix Resolution: ip-address - 10.1.1,https://github.com/beaugunderson/ip-address.git - v10.1.1
Step up your Open Source Security Game with Mend here
CVE-2025-9308
Vulnerable Library - yarn-1.22.22.tgz
Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @cyclone-ui/cli-0.6.1.tgz (Root Library)
- plugin-plugins-5.4.19.tgz
- ❌ yarn-1.22.22.tgz (Vulnerable Library)
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2025-08-21
URL: CVE-2025-9308
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
The "basic-ftp" FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the "downloadToDir()" method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ("../") that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.
Publish Date: 2026-02-25
URL: CVE-2026-27699
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-25
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Publish Date: 2026-04-09
URL: CVE-2026-39983
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution: https://github.com/patrickjuchli/basic-ftp.git - v5.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size. As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints. This vulnerability is fixed in 5.3.1.
Publish Date: 2026-05-12
URL: CVE-2026-44240
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rpmf-866q-6p89
Release Date: 2026-05-06
Fix Resolution: basic-ftp - 5.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - basic-ftp-5.0.5.tgz
Library home page: https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to "Client.list()", causing the client process to consume memory until it becomes unstable or crashes. Version 5.3.0 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41324
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rp42-5vxx-qpwr
Release Date: 2026-04-24
Fix Resolution: basic-ftp - 5.3.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - yarn-1.22.22.tgz
Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
Publish Date: 2025-07-28
URL: CVE-2025-8262
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: 2025-09-24
URL: CVE-2025-59343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vj76-c3g6-qr5v
Release Date: 2025-09-24
Fix Resolution: tar-fs - 3.1.1,tar-fs - 2.1.4,tar-fs - 1.16.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Publish Date: 2025-06-02
URL: CVE-2025-48387
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8cj5-5rvv-wf4v
Release Date: 2025-06-02
Fix Resolution: tar-fs - 1.16.5,https://github.com/mafintosh/tar-fs.git - v3.0.9,https://github.com/mafintosh/tar-fs.git - v1.16.5,tar-fs - 3.0.9,tar-fs - 2.1.3,https://github.com/mafintosh/tar-fs.git - v2.1.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Publish Date: 2025-03-27
URL: CVE-2024-12905
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-03-27
Fix Resolution: https://github.com/mafintosh/tar-fs.git - v2.1.2,tar-fs - 3.0.8,tar-fs - 1.16.4,https://github.com/mafintosh/tar-fs.git - v1.16.4,tar-fs - 2.1.2,https://github.com/mafintosh/tar-fs.git - v3.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - npm-10.9.1.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-10.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.
Publish Date: 2026-01-23
URL: CVE-2026-0775
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - ip-address-9.0.5.tgz
Library home page: https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.
Publish Date: 2026-05-12
URL: CVE-2026-42338
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v2v4-37r5-5v8g
Release Date: 2026-05-06
Fix Resolution: ip-address - 10.1.1,https://github.com/beaugunderson/ip-address.git - v10.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - yarn-1.22.22.tgz
Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2025-08-21
URL: CVE-2025-9308
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here