2 critical · 19 high · 12 medium · 2 low · 35 total (deduped by advisory)
NPM package @datagrok/biostructure-viewer@1.4.9 — production dependency tree audited with npm audit.
| Advisory | Severity | Dependency | Installed | Vulnerable range | Fixed by | CVSS | Description |
|---|---|---|---|---|---|---|---|
| GHSA-67hx-6x53-jw92 | CRITICAL | @babel/traverse | 7.12.13 | <7.23.2 | @rcsb/rcsb-saguaro-api@1.0.1 | 9.3 | Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code |
| GHSA-fjxv-7rqg-78g4 | CRITICAL | form-data | 4.0.0 | >=4.0.0 <4.0.4 | @rcsb/rcsb-saguaro-api@1.0.1 | form-data uses unsafe random function in form-data for choosing boundary | |
| GHSA-23c5-xmqv-rm74 | HIGH | minimatch | 3.0.4 | <3.1.4 | @rcsb/rcsb-saguaro-api@1.0.1 | 7.5 | minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions |
| GHSA-34x7-hfp2-rc4v | HIGH | tar | 6.2.1 | <7.5.7 | molstar@5.10.1 | 8.2 | node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal |
| GHSA-36jr-mh4h-2g58 | HIGH | d3-color | 1.4.1 | <3.1.0 | d3@7.9.0 | d3-color vulnerable to ReDoS | |
| GHSA-3h5v-q93c-6h6q | HIGH | ws | 8.13.0 | >=8.0.0 <8.17.1 | @rcsb/rcsb-saguaro-api@1.0.1 | 7.5 | ws affected by a DoS when handling a request with many HTTP headers |
| GHSA-3ppc-4f35-3m26 | HIGH | minimatch | 3.0.4 | <3.1.3 | @rcsb/rcsb-saguaro-api@1.0.1 | minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern | |
| GHSA-7r86-cg39-jmmj | HIGH | minimatch | 3.0.4 | <3.1.3 | @rcsb/rcsb-saguaro-api@1.0.1 | 7.5 | minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments |
| GHSA-83g3-92jg-28cx | HIGH | tar | 6.2.1 | <7.5.8 | molstar@5.10.1 | 7.1 | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction |
| GHSA-8cf7-32gw-wr33 | HIGH | jsonwebtoken | 8.5.1 | <=8.5.1 | @rcsb/rcsb-saguaro-api@1.0.1 | 8.1 | jsonwebtoken unrestricted key type could lead to legacy keys usage |
| GHSA-8qq5-rm4j-mr97 | HIGH | tar | 6.2.1 | <=7.5.2 | molstar@5.10.1 | node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization | |
| GHSA-96hv-2xvq-fx4p | HIGH | ws | 8.13.0 | >=8.0.0 <8.21.0 | @rcsb/rcsb-saguaro-api@1.0.1 | 7.5 | ws: Memory exhaustion DoS from tiny fragments and data chunks |
| GHSA-9ppj-qmqm-q256 | HIGH | tar | 6.2.1 | <=7.5.10 | molstar@5.10.1 | node-tar Symlink Path Traversal via Drive-Relative Linkpath | |
| GHSA-f8q6-p94x-37v3 | HIGH | minimatch | 3.0.4 | <3.0.5 | @rcsb/rcsb-saguaro-api@1.0.1 | 7.5 | minimatch ReDoS vulnerability |
| GHSA-hmw2-7cc7-3qxx | HIGH | form-data | 4.0.0 | >=4.0.0 <4.0.6 | @rcsb/rcsb-saguaro-api@1.0.1 | 7.5 | form-data: CRLF injection in form-data via unescaped multipart field names and filenames |
| GHSA-ph9p-34f9-6g65 | HIGH | tmp | 0.0.33 | <0.2.6 | @rcsb/rcsb-saguaro-api@1.0.1 | tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape | |
| GHSA-qffp-2rhf-9h96 | HIGH | tar | 6.2.1 | <=7.5.9 | molstar@5.10.1 | tar has Hardlink Path Traversal via Drive-Relative Linkpath | |
| GHSA-r5fr-rjxr-66jc | HIGH | lodash | 4.17.21 | >=4.0.0 <=4.17.23 | @rcsb/rcsb-saguaro-api@1.0.1 | 8.1 | lodash vulnerable to Code Injection via `_.template` imports key names |
| GHSA-r683-j2x4-v87g | HIGH | node-fetch | 2.6.1 | <2.6.7 | @rcsb/rcsb-saguaro-api@1.0.1 | 8.8 | node-fetch forwards secure headers to untrusted sites |
| GHSA-r6q2-hw4h-h46w | HIGH | tar | 6.2.1 | <=7.5.3 | molstar@5.10.1 | 8.8 | Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS |
| GHSA-x7q7-fchv-8h2j | HIGH | @ranfdev/deepobj | 1.0.2 | <=1.0.2 | @rcsb/rcsb-saguaro-app@5.1.5 | 8.2 | @ranfdev/deepobj has a Prototype Pollution vulnerability |
| GHSA-58qx-3vcg-4xpx | MEDIUM | ws | 8.13.0 | >=8.0.0 <8.20.1 | @rcsb/rcsb-saguaro-api@1.0.1 | 4.4 | ws: Uninitialized memory disclosure |
| GHSA-6fc8-4gx4-v693 | MEDIUM | ws | 8.13.0 | >=7.0.0 <7.4.6 | @rcsb/rcsb-saguaro-api@1.0.1 | 5.3 | ReDoS in Sec-Websocket-Protocol header |
| GHSA-6rw7-vpxm-498p | MEDIUM | qs | 6.5.5 | <6.14.1 | molstar@5.10.1 | 3.7 | qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion |
| GHSA-72xf-g2v4-qvf3 | MEDIUM | tough-cookie | 2.5.0 | <4.1.3 | molstar@5.10.1 | 6.5 | tough-cookie Prototype Pollution vulnerability |
| GHSA-f23m-r3pf-42rh | MEDIUM | lodash | 4.17.21 | <=4.17.23 | @rcsb/rcsb-saguaro-api@1.0.1 | 6.5 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` |
| GHSA-hjrf-2m68-5959 | MEDIUM | jsonwebtoken | 8.5.1 | <=8.5.1 | @rcsb/rcsb-saguaro-api@1.0.1 | 5 | jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC |
| GHSA-p8p7-x288-28g6 | MEDIUM | request | 2.88.2 | <=2.88.2 | molstar@5.10.1 | 6.1 | Server-Side Request Forgery in Request |
| GHSA-pfrx-2q88-qq97 | MEDIUM | got | 9.6.0 | <11.8.5 | @rcsb/rcsb-saguaro-api@1.0.1 | 5.3 | Got allows a redirect to a UNIX socket |
| GHSA-qwph-4952-7xr6 | MEDIUM | jsonwebtoken | 8.5.1 | <9.0.0 | @rcsb/rcsb-saguaro-api@1.0.1 | 6.4 | jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() |
| GHSA-vmf3-w455-68vh | MEDIUM | tar | 6.2.1 | <=7.5.15 | molstar@5.10.1 | node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) | |
| GHSA-w5hq-g745-h8pq | MEDIUM | uuid | 10.0.0 | <11.1.1 | uuid@14.0.1 | 7.5 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided |
| GHSA-xxjr-mmjv-4gpg | MEDIUM | lodash | 4.17.21 | >=4.0.0 <=4.17.22 | @rcsb/rcsb-saguaro-api@1.0.1 | 6.5 | Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions |
| GHSA-52f5-9888-hmc6 | LOW | tmp | 0.0.33 | <=0.2.3 | @rcsb/rcsb-saguaro-api@1.0.1 | 2.5 | tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter |
| GHSA-vpq2-c234-7xj6 | LOW | @tootallnate/once | 1.1.2 | <2.0.1 | @rcsb/rcsb-saguaro-api@1.0.1 | 3.3 | @tootallnate/once vulnerable to Incorrect Control Flow Scoping |