truffle-5.11.5.tgz: 24 vulnerabilities (highest severity is: 9.3)

[mend-bolt-for-github]

Vulnerable Library - truffle-5.11.5.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/PI-bank/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (truffle version)	Remediation Possible**
CVE-2025-6545	Critical	9.3	pbkdf2-3.1.2.tgz	Transitive	N/A*	❌
CVE-2025-9288	Critical	9.1	sha.js-2.4.11.tgz	Transitive	N/A*	❌
CVE-2024-48949	Critical	9.1	elliptic-6.5.4.tgz	Transitive	N/A*	❌
CVE-2025-7783	High	8.7	form-data-4.0.2.tgz	Transitive	N/A*	❌
WS-2023-0439	High	7.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2025-58754	High	7.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2025-57330	High	7.5	web3-core-subscriptions-1.10.0.tgz	Transitive	N/A*	❌
CVE-2025-57329	High	7.5	web3-core-method-1.10.0.tgz	Transitive	N/A*	❌
CVE-2025-27152	High	7.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2024-48930	High	7.5	secp256k1-4.0.3.tgz	Transitive	N/A*	❌
CVE-2024-39338	High	7.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2024-37890	High	7.5	ws-8.13.0.tgz	Transitive	N/A*	❌
CVE-2024-21505	High	7.5	web3-utils-1.10.0.tgz	Transitive	N/A*	❌
CVE-2025-6547	Medium	6.8	pbkdf2-3.1.2.tgz	Transitive	N/A*	❌
CVE-2023-45857	Medium	6.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2024-11831	Medium	5.4	serialize-javascript-6.0.0.tgz	Transitive	N/A*	❌
CVE-2025-64718	Medium	5.3	js-yaml-4.1.0.tgz	Transitive	N/A*	❌
CVE-2024-42461	Medium	5.3	elliptic-6.5.4.tgz	Transitive	N/A*	❌
CVE-2024-42460	Medium	5.3	elliptic-6.5.4.tgz	Transitive	N/A*	❌
CVE-2024-42459	Medium	5.3	elliptic-6.5.4.tgz	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	yargs-parser-2.4.1.tgz	Transitive	N/A*	❌
CVE-2024-48948	Medium	4.8	elliptic-6.5.4.tgz	Transitive	N/A*	❌
CVE-2024-55565	Medium	4.3	nanoid-3.3.3.tgz	Transitive	N/A*	❌
CVE-2025-5889	Low	3.1	detected in multiple dependencies	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiRide/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/pbkdf2/package.json,/projects/oracle-nexus/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/smartship/node_modules/pbkdf2/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/pbkdf2/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • web3-utils-1.10.0.tgz
      • ethereumjs-util-7.1.5.tgz
        • ethereum-cryptography-0.1.3.tgz
          • ❌ pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-23

URL: CVE-2025-6545

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: 2025-06-23

Fix Resolution: pbkdf2 - 3.1.3,https://github.com/browserify/pbkdf2.git - v3.1.3

Step up your Open Source Security Game with Mend here

CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/sha.js/package.json,/blockchain_integration/pi_network/smartship/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/sha.js/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/sha.js/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/sha.js/package.json,/projects/oracle-nexus/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiRide/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/sha.js/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/sha.js/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • apollo-server-3.13.0.tgz
      • apollo-server-core-3.13.0.tgz
        • ❌ sha.js-2.4.11.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: 2025-08-20

URL: CVE-2025-9288

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-20

Fix Resolution: https://github.com/browserify/sha.js.git - v2.4.12,sha.js - 2.4.12

Step up your Open Source Security Game with Mend here

CVE-2024-48949

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/ganache/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json,/blockchain_integration/pi_network/node_modules/@truffle/interface-adapter/node_modules/elliptic/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • ganache-7.9.1.tgz
    • secp256k1-4.0.3.tgz
      • ❌ elliptic-6.5.4.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution: elliptic - 6.5.6

Step up your Open Source Security Game with Mend here

CVE-2025-7783

Vulnerable Library - form-data-4.0.2.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-4.0.2.tgz

Path to dependency file: /blockchain_integration/pi_network/SpacePi/package.json

Path to vulnerable library: /blockchain_integration/pi_network/SpacePi/node_modules/axios/node_modules/form-data/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/form-data/package.json,/blockchain_integration/pi_network/node_modules/form-data/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/form-data/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/superagent/node_modules/form-data/package.json,/blockchain_integration/pi_network/PiRide/node_modules/form-data/package.json,/blockchain_integration/pi_network/contracts/node_modules/form-data/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • axios-1.5.0.tgz
            • ❌ form-data-4.0.2.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

CVSS 3 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjxv-7rqg-78g4

Release Date: 2025-07-18

Fix Resolution: form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4,form-data - 2.5.4

Step up your Open Source Security Game with Mend here

WS-2023-0439

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.

Publish Date: 2023-10-25

URL: WS-2023-0439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2025-58754

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the "data:" scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory ("Buffer"/"Blob") and returns a synthetic 200 response. This path ignores "maxContentLength" / "maxBodyLength" (which only protect HTTP responses), so an attacker can supply a very large "data:" URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested "responseType: 'stream'". Versions 0.30.2 and 1.12.0 contain a patch for the issue.

Publish Date: 2025-09-12

URL: CVE-2025-58754

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4hjh-wcwx-xvwj

Release Date: 2025-09-12

Fix Resolution: https://github.com/axios/axios.git - v1.12.0,axios - 0.30.2

Step up your Open Source Security Game with Mend here

CVE-2025-57330

Vulnerable Library - web3-core-subscriptions-1.10.0.tgz

Library home page: https://registry.npmjs.org/web3-core-subscriptions/-/web3-core-subscriptions-1.10.0.tgz

Path to dependency file: /blockchain_integration/pi_network/PiSure/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/debugger/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/provider/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/interface-adapter/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/node_modules/@truffle/provider/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/debugger/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/debugger/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/node_modules/@truffle/debugger/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/interface-adapter/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/node_modules/@truffle/debugger/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/node_modules/@truffle/interface-adapter/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/provider/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/interface-adapter/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/provider/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/node_modules/@truffle/provider/node_modules/web3-core-subscriptions/package.json,/blockchain_integration/pi_network/contracts/node_modules/@truffle/interface-adapter/node_modules/web3-core-subscriptions/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • debugger-12.1.5.tgz
    • web3-1.10.0.tgz
      • web3-shh-1.10.0.tgz
        • ❌ web3-core-subscriptions-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Publish Date: 2025-09-24

URL: CVE-2025-57330

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2025-57329

Vulnerable Library - web3-core-method-1.10.0.tgz

Library home page: https://registry.npmjs.org/web3-core-method/-/web3-core-method-1.10.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/@truffle/provider/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/node_modules/@truffle/debugger/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/node_modules/@truffle/provider/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/provider/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/node_modules/@truffle/interface-adapter/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/debugger/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/contracts/node_modules/@truffle/interface-adapter/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/contracts/node_modules/@truffle/debugger/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/interface-adapter/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/provider/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/interface-adapter/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/interface-adapter/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/@truffle/debugger/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/@truffle/debugger/node_modules/web3-core-method/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/@truffle/provider/node_modules/web3-core-method/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • debugger-12.1.5.tgz
    • web3-1.10.0.tgz
      • web3-net-1.10.0.tgz
        • ❌ web3-core-method-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Publish Date: 2025-09-24

URL: CVE-2025-57329

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2025-27152

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Publish Date: 2025-03-07

URL: CVE-2025-27152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jr5f-v2jv-69x6

Release Date: 2025-03-07

Fix Resolution: https://github.com/axios/axios.git - v1.8.2,axios - 0.30.0,axios - 1.8.2,https://github.com/axios/axios.git - v0.30.0,org.webjars.npm:axios:1.8.3

Step up your Open Source Security Game with Mend here

CVE-2024-48930

Vulnerable Library - secp256k1-4.0.3.tgz

This module provides native bindings to ecdsa secp256k1 functions

Library home page: https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.3.tgz

Path to dependency file: /blockchain_integration/pi_network/PiSure/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiSure/contracts/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/contracts/node_modules/ganache/node_modules/secp256k1/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • ganache-7.9.1.tgz
    • ❌ secp256k1-4.0.3.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In "elliptic"-based version, "loadUncompressedPublicKey" has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, "loadCompressedPublicKey" is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. "publicKeyVerify()" incorrectly returning "true" on those invalid keys, and e.g. "publicKeyTweakMul()" also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.

Publish Date: 2024-10-21

URL: CVE-2024-48930

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-584q-6j8j-r5pm

Release Date: 2024-10-21

Fix Resolution: secp256k1 - 5.0.1,secp256k1 - 3.8.1,secp256k1 - 4.0.4

Step up your Open Source Security Game with Mend here

CVE-2024-39338

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Publish Date: 2024-08-09

URL: CVE-2024-39338

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hc4-vh64-cxmj

Release Date: 2024-08-09

Fix Resolution: axios - 1.7.4,axios - 1.7.4

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Library - ws-8.13.0.tgz

Library home page: https://registry.npmjs.org/ws/-/ws-8.13.0.tgz

Path to dependency file: /blockchain_integration/pi_network/PiSure/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiSure/contracts/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/contracts/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • ganache-7.9.1.tgz
    • uws-js-unofficial-20.30.0-unofficial.0.tgz
      • ❌ ws-8.13.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1

Step up your Open Source Security Game with Mend here

CVE-2024-21505

Vulnerable Library - web3-utils-1.10.0.tgz

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-utils/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • ❌ web3-utils-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: 2024-03-25

URL: CVE-2024-21505

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2g4c-8fpm-c46v

Release Date: 2024-03-25

Fix Resolution: web3-utils - 4.2.1

Step up your Open Source Security Game with Mend here

CVE-2025-6547

Vulnerable Library - pbkdf2-3.1.2.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiRide/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/pbkdf2/package.json,/projects/oracle-nexus/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/contracts/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/smartship/node_modules/pbkdf2/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/pbkdf2/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/pbkdf2/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • web3-utils-1.10.0.tgz
      • ethereumjs-util-7.1.5.tgz
        • ethereum-cryptography-0.1.3.tgz
          • ❌ pbkdf2-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

Publish Date: 2025-06-23

URL: CVE-2025-6547

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v62p-rq8g-8h59

Release Date: 2025-06-23

Fix Resolution: https://github.com/browserify/pbkdf2.git - v3.1.3,pbkdf2 - 3.1.3

Step up your Open Source Security Game with Mend here

CVE-2023-45857

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wf5p-g6vw-rhxx

Release Date: 2023-11-08

Fix Resolution: axios - 1.6.0,axios - 1.6.0,axios - 0.28.0,org.webjars.npm:axios:1.6.0

Step up your Open Source Security Game with Mend here

CVE-2024-11831

Vulnerable Library - serialize-javascript-6.0.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/serialize-javascript/package.json,/blockchain_integration/pi_network/node_modules/serialize-javascript/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/serialize-javascript/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/serialize-javascript/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/truffle/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • mocha-10.1.0.tgz
    • ❌ serialize-javascript-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Publish Date: 2025-02-10

URL: CVE-2024-11831

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p7-773f-r4q5

Release Date: 2025-02-10

Fix Resolution: serialize-javascript - 6.0.2

Step up your Open Source Security Game with Mend here

CVE-2025-64718

Vulnerable Library - js-yaml-4.1.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz

Path to dependency file: /blockchain_integration/pi_network/PiSure/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiSure/contracts/node_modules/js-yaml/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/mocha/node_modules/js-yaml/package.json,/blockchain_integration/pi_network/node_modules/js-yaml/package.json,/projects/oracle-nexus/node_modules/js-yaml/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/js-yaml/package.json,/blockchain_integration/pi_network/pi-network-layer2-scaling/node_modules/hardhat/node_modules/js-yaml/package.json,/blockchain_integration/pi_network/contracts/node_modules/js-yaml/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • mocha-10.1.0.tgz
    • ❌ js-yaml-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).

Publish Date: 2025-11-13

URL: CVE-2025-64718

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mh29-5h37-fv8m

Release Date: 2025-11-13

Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.