Vulnerabilities > Npmjs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-21 | CVE-2022-25883 | Unspecified vulnerability in Npmjs Semver Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | 7.5 |
| 2022-06-13 | CVE-2022-29244 | Information Exposure vulnerability in multiple products npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. | 7.5 |
| 2021-11-13 | CVE-2021-43616 | Insufficient Verification of Data Authenticity vulnerability in multiple products The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. | 9.8 |
| 2021-08-31 | CVE-2021-37701 | Link Following vulnerability in multiple products The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. | 8.6 |
| 2021-08-31 | CVE-2021-37712 | Link Following vulnerability in multiple products The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. | 8.6 |
| 2021-08-31 | CVE-2021-37713 | Path Traversal vulnerability in multiple products The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. | 4.4 |
| 2021-08-31 | CVE-2021-39134 | Improper Handling of Case Sensitivity vulnerability in multiple products `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. | 7.8 |
| 2021-08-31 | CVE-2021-39135 | UNIX Symbolic Link (Symlink) Following vulnerability in multiple products `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. | 7.8 |
| 2021-03-23 | CVE-2021-23362 | The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. | 5.3 |
| 2020-10-27 | CVE-2020-7754 | Unspecified vulnerability in Npmjs Npm-User-Validate This affects the package npm-user-validate before 1.0.1. | 5.0 |