[Security] Resolve Multiple Vulnerabilities Detected in NPM Packages

[vaibhavyadav-dev]

Description

Multiple vulnerabilities have been detected in the following NPM packages. Action is required to patch or upgrade these packages to mitigate potential security risks.

Vulnerabilities List

1. protobufjs - Prototype Pollution Vulnerability

   • Severity: Critical
   • Package: protobufjs
   • Detected in: package-lock.json

2. Babel - Arbitrary Code Execution when compiling specifically crafted malicious code

   • Severity: Critical
   • Package: babel/traverse
   • Detected in: package-lock.json

3. rollup - DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

   • Severity: High
   • Package: rollup
   • Detected in: package-lock.json

4. body-parser - Vulnerable to denial of service when URL encoding is enabled

   • Severity: High
   • Package: body-parser
   • Detected in: package-lock.json

5. path-to-regexp - Outputs backtracking regular expressions

   • Severity: High
   • Package: path-to-regexp
   • Detected in: package-lock.json

6. axios - Server-Side Request Forgery

   • Severity: High
   • Package: axios
   • Detected in: package-lock.json

7. ws - Vulnerable to a DoS attack when handling requests with many HTTP headers

   • Severity: High
   • Package: ws
   • Detected in: package-lock.json

8. braces - Uncontrolled resource consumption

   • Severity: High
   • Package: braces
   • Detected in: package-lock.json

9. webpack-dev-middleware - Path traversal vulnerability

   • Severity: High
   • Package: webpack-dev-middleware
   • Detected in: package-lock.json

10. semver - Regular Expression Denial of Service (ReDoS)

    • Severity: High
    • Package: semver
    • Detected in: package-lock.json

11. nth-check - Inefficient Regular Expression Complexity

    • Severity: High
    • Package: nth-check
    • Detected in: package-lock.json

12. send - Vulnerable to template injection that can lead to XSS

    • Severity: Moderate
    • Package: send
    • Detected in: package-lock.json

13. serve-static - Vulnerable to template injection that can lead to XSS

    • Severity: Moderate
    • Package: serve-static
    • Detected in: package-lock.json

14. express - Vulnerable to XSS via response.redirect()

    • Severity: Moderate
    • Package: express
    • Detected in: package-lock.json

15. webpack - DOM Clobbering Gadget in AutoPublicPathRuntimeModule

    • Severity: Moderate
    • Package: webpack
    • Detected in: package-lock.json

Steps to Reproduce

1. Analyze the package-lock.json for the listed vulnerabilities.
2. Upgrade the vulnerable packages to their latest secure versions.
3. If no patch is available, consider removing the vulnerable packages or using an alternative.

Expected Outcome

• All vulnerabilities should be addressed, either by upgrading to secure versions or implementing workarounds where necessary, to ensure the security of the system.

[Yash-007]

Hey, I would like to address this issue. can you please assign it to me?

[vaibhavyadav-dev]

ok @Yash-007 you can take this

[vaibhavyadav-dev]

@Yash-007 are you working on this ?

[Yash-007]

@vaibhavyadav-dev Yes, please review the pr