Skip to content

ganache-cli-6.12.2.tgz: 16 vulnerabilities (highest severity is: 9.3) #1745

New issue
New issue
Open
Open
ganache-cli-6.12.2.tgz: 16 vulnerabilities (highest severity is: 9.3)#1745
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jul 29, 2024
Vulnerable Library - ganache-cli-6.12.2.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/secp256k1/package.json

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (ganache-cli version) Remediation Possible**
CVE-2025-6545 Critical 9.3 pbkdf2-3.1.1.tgz Transitive N/A*
CVE-2025-9288 Critical 9.1 sha.js-2.4.11.tgz Transitive N/A*
CVE-2025-9287 Critical 9.1 cipher-base-1.0.4.tgz Transitive N/A*
CVE-2024-48949 Critical 9.1 elliptic-6.5.3.tgz Transitive N/A*
CVE-2025-27611 High 7.5 base-x-3.0.8.tgz Transitive N/A*
CVE-2024-48930 High 7.5 secp256k1-4.0.2.tgz Transitive N/A*
CVE-2024-21538 High 7.5 cross-spawn-6.0.5.tgz Transitive N/A*
CVE-2021-3807 High 7.5 ansi-regex-4.1.0.tgz Transitive N/A*
CVE-2020-7774 High 7.3 y18n-4.0.0.tgz Transitive N/A*
CVE-2025-6547 Medium 6.8 pbkdf2-3.1.1.tgz Transitive N/A*
CVE-2020-28498 Medium 6.8 elliptic-6.5.3.tgz Transitive N/A*
CVE-2024-42461 Medium 5.3 elliptic-6.5.3.tgz Transitive N/A*
CVE-2024-42460 Medium 5.3 elliptic-6.5.3.tgz Transitive N/A*
CVE-2024-42459 Medium 5.3 elliptic-6.5.3.tgz Transitive N/A*
CVE-2022-25883 Medium 5.3 semver-5.7.1.tgz Transitive N/A*
CVE-2024-48948 Medium 4.8 elliptic-6.5.3.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-6545

Vulnerable Library - pbkdf2-3.1.1.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.1.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • ethereum-cryptography-0.1.3.tgz
        • pbkdf2-3.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-23

URL: CVE-2025-6545

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7cp-r72f-jxh6

Release Date: 2025-06-23

Fix Resolution: pbkdf2 - 3.1.3,https://github.com/browserify/pbkdf2.git - v3.1.3

Step up your Open Source Security Game with Mend here

CVE-2025-9288

Vulnerable Library - sha.js-2.4.11.tgz

Streamable SHA hashes in pure javascript

Library home page: https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/sha.js/package.json,/blockchain_integration/pi_network/smartship/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/sha.js/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/sha.js/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/sha.js/package.json,/projects/oracle-nexus/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/sha.js/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/sha.js/package.json,/blockchain_integration/pi_network/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiRide/node_modules/sha.js/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/sha.js/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/sha.js/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • create-hash-1.2.0.tgz
        • sha.js-2.4.11.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Publish Date: 2025-08-20

URL: CVE-2025-9288

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-20

Fix Resolution: https://github.com/browserify/sha.js.git - v2.4.12,sha.js - 2.4.12

Step up your Open Source Security Game with Mend here

CVE-2025-9287

Vulnerable Library - cipher-base-1.0.4.tgz

abstract base class for crypto-streams

Library home page: https://registry.npmjs.org/cipher-base/-/cipher-base-1.0.4.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/cipher-base/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • create-hash-1.2.0.tgz
        • cipher-base-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.

Publish Date: 2025-08-20

URL: CVE-2025-9287

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cpq7-6gpm-g9rc

Release Date: 2025-08-20

Fix Resolution: cipher-base - 1.0.4

Step up your Open Source Security Game with Mend here

CVE-2024-48949

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution: elliptic - 6.5.6

Step up your Open Source Security Game with Mend here

CVE-2025-27611

Vulnerable Library - base-x-3.0.8.tgz

Fast base encoding / decoding of any given alphabet

Library home page: https://registry.npmjs.org/base-x/-/base-x-3.0.8.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/base-x/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • ethereum-cryptography-0.1.3.tgz
        • bs58check-2.1.2.tgz
          • bs58-4.0.1.tgz
            • base-x-3.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1.

Publish Date: 2025-04-30

URL: CVE-2025-27611

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xq7p-g2vc-g82p

Release Date: 2025-04-30

Fix Resolution: https://github.com/cryptocoinjs/base-x.git - v5.0.1,base-x - 5.0.1,base-x - 4.0.1,base-x - 3.0.11,https://github.com/cryptocoinjs/base-x.git - v4.0.1,https://github.com/cryptocoinjs/base-x.git - v3.0.11

Step up your Open Source Security Game with Mend here

CVE-2024-48930

Vulnerable Library - secp256k1-4.0.2.tgz

This module provides native bindings to ecdsa secp256k1 functions

Library home page: https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.2.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/secp256k1/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • ethereum-cryptography-0.1.3.tgz
        • secp256k1-4.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In "elliptic"-based version, "loadUncompressedPublicKey" has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, "loadCompressedPublicKey" is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. "publicKeyVerify()" incorrectly returning "true" on those invalid keys, and e.g. "publicKeyTweakMul()" also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.

Publish Date: 2024-10-21

URL: CVE-2024-48930

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-584q-6j8j-r5pm

Release Date: 2024-10-21

Fix Resolution: secp256k1 - 5.0.1,secp256k1 - 3.8.1,secp256k1 - 4.0.4

Step up your Open Source Security Game with Mend here

CVE-2024-21538

Vulnerable Library - cross-spawn-6.0.5.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/cross-spawn/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • yargs-13.2.4.tgz
      • os-locale-3.1.0.tgz
        • execa-1.0.0.tgz
          • cross-spawn-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: 2024-11-08

URL: CVE-2024-21538

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Release Date: 2024-11-08

Fix Resolution: org.webjars.npm:cross-spawn:6.0.6,org.webjars.npm:cross-spawn:7.0.5,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-3807

Vulnerable Library - ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • yargs-13.2.4.tgz
      • cliui-5.0.0.tgz
        • strip-ansi-5.2.0.tgz
          • ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93q8-gq69-wqmw

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,ansi-regex - 3.0.1,ansi-regex - 6.0.1,ansi-regex - 4.1.1

Step up your Open Source Security Game with Mend here

CVE-2020-7774

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/y18n/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • yargs-13.2.4.tgz
      • y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

Step up your Open Source Security Game with Mend here

CVE-2025-6547

Vulnerable Library - pbkdf2-3.1.1.tgz

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

Library home page: https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.1.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/pbkdf2/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • ethereum-cryptography-0.1.3.tgz
        • pbkdf2-3.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

Publish Date: 2025-06-23

URL: CVE-2025-6547

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v62p-rq8g-8h59

Release Date: 2025-06-23

Fix Resolution: https://github.com/browserify/pbkdf2.git - v3.1.3,pbkdf2 - 3.1.3

Step up your Open Source Security Game with Mend here

CVE-2020-28498

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: elliptic - 6.5.4

Step up your Open Source Security Game with Mend here

CVE-2024-42461

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

Publish Date: 2024-08-02

URL: CVE-2024-42461

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-49q7-c7j4-3p7m

Release Date: 2024-08-02

Fix Resolution: elliptic - 6.5.7,elliptic - 6.5.7

Step up your Open Source Security Game with Mend here

CVE-2024-42460

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

Publish Date: 2024-08-02

URL: CVE-2024-42460

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-977x-g7h5-7qgw

Release Date: 2024-08-02

Fix Resolution: elliptic - 6.5.7,elliptic - 6.5.7

Step up your Open Source Security Game with Mend here

CVE-2024-42459

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

Publish Date: 2024-08-02

URL: CVE-2024-42459

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f7q4-pwc6-w24p

Release Date: 2024-08-02

Fix Resolution: elliptic - 6.5.7,elliptic - 6.5.7

Step up your Open Source Security Game with Mend here

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/semver/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • yargs-13.2.4.tgz
      • os-locale-3.1.0.tgz
        • execa-1.0.0.tgz
          • cross-spawn-6.0.5.tgz
            • semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Step up your Open Source Security Game with Mend here

CVE-2024-48948

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: /blockchain_integration/pi_network/package.json

Path to vulnerable library: /blockchain_integration/pi_network/node_modules/ganache-cli/node_modules/elliptic/package.json

Dependency Hierarchy:

  • ganache-cli-6.12.2.tgz (Root Library)
    • ethereumjs-util-6.2.1.tgz
      • elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Publish Date: 2024-10-15

URL: CVE-2024-48948

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fc9h-whq2-v747

Release Date: 2024-10-15

Fix Resolution: elliptic - 6.6.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions