{ "auditReportVersion": 2, "vulnerabilities": { "@cloudflare/vitest-pool-workers": { "name": "@cloudflare/vitest-pool-workers", "severity": "high", "isDirect": true, "via": [ "miniflare", "wrangler" ], "effects": [], "range": "0.2.1 || 0.9.0 - 0.13.1", "nodes": [ "node_modules/@cloudflare/vitest-pool-workers" ], "fixAvailable": { "name": "@cloudflare/vitest-pool-workers", "version": "0.14.0", "isSemVerMajor": true } }, "ajv": { "name": "ajv", "severity": "moderate", "isDirect": false, "via": [ { "source": 1113714, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<6.14.0" } ], "effects": [], "range": "<6.14.0", "nodes": [ "node_modules/ajv" ], "fixAvailable": true }, "brace-expansion": { "name": "brace-expansion", "severity": "moderate", "isDirect": false, "via": [ { "source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<1.1.13" } ], "effects": [], "range": "<1.1.13", "nodes": [ "node_modules/brace-expansion" ], "fixAvailable": true }, "flatted": { "name": "flatted", "severity": "high", "isDirect": false, "via": [ { "source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": [ "CWE-674" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.4.0" }, { "source": 1115357, "name": "flatted", "dependency": "flatted", "title": "Prototype Pollution via parse() in NodeJS flatted", "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=3.4.1" } ], "effects": [], "range": "<=3.4.1", "nodes": [ "node_modules/flatted" ], "fixAvailable": true }, "miniflare": { "name": "miniflare", "severity": "high", "isDirect": false, "via": [ "undici", "undici" ], "effects": [ "@cloudflare/vitest-pool-workers", "wrangler" ], "range": "4.20250906.1 - 4.20260312.1", "nodes": [ "node_modules/@cloudflare/vitest-pool-workers/node_modules/miniflare", "node_modules/miniflare" ], "fixAvailable": { "name": "@cloudflare/vitest-pool-workers", "version": "0.14.0", "isSemVerMajor": true } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.1.3" }, { "source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.3" }, { "source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.4" } ], "effects": [], "range": "<=3.1.3", "nodes": [ "node_modules/minimatch" ], "fixAvailable": true }, "picomatch": { "name": "picomatch", "severity": "high", "isDirect": false, "via": [ { "source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<2.3.2" }, { "source": 1115551, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": ">=4.0.0 <4.0.4" }, { "source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.3.2" }, { "source": 1115554, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.0.4" } ], "effects": [], "range": "<=2.3.1 || 4.0.0 - 4.0.3", "nodes": [ "node_modules/picomatch", "node_modules/tinyglobby/node_modules/picomatch", "node_modules/vite/node_modules/picomatch", "node_modules/vitest/node_modules/picomatch" ], "fixAvailable": true }, "qs": { "name": "qs", "severity": "low", "isDirect": false, "via": [ { "source": 1113161, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in comma parsing allows denial of service", "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", "severity": "low", "cwe": [ "CWE-20" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.7.0 <=6.14.1" } ], "effects": [], "range": "6.7.0 - 6.14.1", "nodes": [ "node_modules/qs" ], "fixAvailable": true }, "rollup": { "name": "rollup", "severity": "high", "isDirect": false, "via": [ { "source": 1113515, "name": "rollup", "dependency": "rollup", "title": "Rollup 4 has Arbitrary File Write via Path Traversal", "url": "https://github.com/advisories/GHSA-mw96-cpmx-2vgc", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=4.0.0 <4.59.0" } ], "effects": [], "range": "4.0.0 - 4.58.0", "nodes": [ "node_modules/rollup" ], "fixAvailable": true }, "undici": { "name": "undici", "severity": "high", "isDirect": false, "via": [ { "source": 1112497, "name": "undici", "dependency": "undici", "title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion", "url": "https://github.com/advisories/GHSA-g9mf-h72j-4rw9", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.18.2" }, { "source": 1114591, "name": "undici", "dependency": "undici", "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client", "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "severity": "high", "cwe": [ "CWE-248", "CWE-1284" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114593, "name": "undici", "dependency": "undici", "title": "Undici has an HTTP Request/Response Smuggling issue", "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "severity": "moderate", "cwe": [ "CWE-444" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114637, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression", "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "severity": "high", "cwe": [ "CWE-409" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114639, "name": "undici", "dependency": "undici", "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation", "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114641, "name": "undici", "dependency": "undici", "title": "Undici has CRLF Injection in undici via `upgrade` option", "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "severity": "moderate", "cwe": [ "CWE-93" ], "cvss": { "score": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, "range": ">=7.0.0 <7.24.0" }, { "source": 1114643, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS", "url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.17.0 <7.24.0" } ], "effects": [ "miniflare" ], "range": "7.0.0 - 7.23.0", "nodes": [ "node_modules/@cloudflare/vitest-pool-workers/node_modules/undici", "node_modules/undici" ], "fixAvailable": { "name": "@cloudflare/vitest-pool-workers", "version": "0.14.0", "isSemVerMajor": true } }, "wrangler": { "name": "wrangler", "severity": "high", "isDirect": true, "via": [ "miniflare", "miniflare" ], "effects": [ "@cloudflare/vitest-pool-workers" ], "range": "<=0.0.0-31bfd374c || 4.36.0 - 4.74.0", "nodes": [ "node_modules/@cloudflare/vitest-pool-workers/node_modules/wrangler", "node_modules/wrangler" ], "fixAvailable": { "name": "@cloudflare/vitest-pool-workers", "version": "0.14.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 2, "high": 8, "critical": 0, "total": 11 }, "dependencies": { "prod": 37, "dev": 505, "optional": 115, "peer": 1, "peerOptional": 0, "total": 542 } } }