Dolevmiz1

**Name of the Vulnerable Software and Affected Versions** Axios versions prior to 0.31.1 Axios versions prior to 1.15.1 **Description** An issue exists where the software reads keys from Object.prototype without a hasOwnProperty guard. If a co-dependency pollutes the Object.prototype, an attacker can silently intercept and modify every JSON response before the application processes it, or fully hijack the underlying HTTP transport to gain access to request credentials, headers, and the body. This requires prototype pollution from a separate source within the same process. **Recommendations** Update to version 0.31.1 Update to version 1.15.1

**Name of the Vulnerable Software and Affected Versions** lodash versions prior to 4.18.0 **Description** The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the `options.imports` object used by the ` .template` function can allow an attacker to inject default-parameter expressions, leading to arbitrary code execution. The issue arises because validation applied to the `option` variable is not extended to the `options.imports` key names. Furthermore, the use of `assignInWith` can introduce vulnerabilities if `Object.prototype` has been compromised, potentially copying polluted keys into the imports object and ultimately executing malicious code. **Recommendations** Upgrade to version 4.18.0. Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.

**Name of the Vulnerable Software and Affected Versions** minimatch versions prior to 3.1.3 minimatch versions 3.1.3 through 4.2.5 minimatch versions 4.2.5 through 5.1.8 minimatch versions 5.1.8 through 6.2.2 minimatch versions 6.2.2 through 7.4.8 minimatch versions 7.4.8 through 8.0.6 minimatch versions 8.0.6 through 9.0.7 minimatch versions 9.0.7 through 10.2.3 **Description** The `minimatch` software contains a flaw where the `matchOne()` function can experience unbounded recursive backtracking when processing glob patterns with multiple non-adjacent `**` (GLOBSTAR) segments, particularly when the input path does not match the pattern. This can lead to a time complexity of O(C(n, k)), where `n` represents the number of path segments and `k` is the number of globstars. This issue can cause the Node.js event loop to stall for extended periods, potentially tens of seconds, with a pattern size of approximately 56 bytes. Applications vulnerable to this issue include build tools, task runners, multi-tenant systems, admin interfaces, and CI/CD pipelines that accept user-supplied glob arguments. An attacker who can control the glob pattern passed to `minimatch()` can exploit this flaw. **Recommendations** Update to minimatch version 3.1.3 or later. Update to minimatch version 4.2.5 or later. Update to minimatch version 5.1.8 or later. Update to minimatch version 6.2.2 or later. Update to minimatch version 7.4.8 or later. Update to minimatch version 8.0.6 or later. Update to minimatch version 9.0.7 or later. Update to minimatch version 10.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** minimatch versions prior to 10.2.3 minimatch versions prior to 9.0.7 minimatch versions prior to 8.0.6 minimatch versions prior to 7.4.8 minimatch versions prior to 6.2.2 minimatch versions prior to 5.1.8 minimatch versions prior to 4.2.5 minimatch versions prior to 3.1.4 **Description** The software is susceptible to catastrophic backtracking when processing certain glob expressions containing nested `*()` or `+()` extglobs. Specifically, regular expressions generated from these patterns can lead to excessive backtracking in V8, causing significant performance issues, including stalls lasting several seconds or even minutes. A 12-byte pattern like `*(*(*(a|b)))` with an 18-byte non-matching input can trigger this behavior. The issue occurs with the default `minimatch()` API without requiring special options. **Recommendations** Update to minimatch version 10.2.3 or later. Update to minimatch version 9.0.7 or later. Update to minimatch version 8.0.6 or later. Update to minimatch version 7.4.8 or later. Update to minimatch version 6.2.2 or later. Update to minimatch version 5.1.8 or later. Update to minimatch version 4.2.5 or later. Update to minimatch version 3.1.4 or later.