Secdevlpr26

**Name of the Vulnerable Software and Affected Versions** kangax html-minifier version 4.0.0 **Description** A Regular Expression Denial of Service (ReDoS) flaw was found in the `candidate` variable in htmlminifier.js. This issue can cause a denial of service. **Recommendations** For kangax html-minifier version 4.0.0, consider disabling the `candidate` variable in htmlminifier.js as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** browserify-shim version 3.8.15 **Description** The issue is related to a prototype pollution vulnerability in the `resolveShims` function, located in the `resolve-shims.js` file. This vulnerability is exploitable via the `shimPath` variable in `resolve-shims.js`. **Recommendations** For browserify-shim version 3.8.15, consider updating to a newer version that contains a fix for this issue, if available. As a temporary workaround, consider restricting access to the `resolveShims` function to minimize the risk of exploitation. Avoid using the `shimPath` variable in the affected `resolve-shims.js` file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** browserify-shim version 3.8.15 **Description** The issue is related to a prototype pollution vulnerability in the `resolveShims` function, located in `resolve-shims.js`. This vulnerability is exploitable via the `fullPath` variable in `resolve-shims.js`. **Recommendations** For browserify-shim version 3.8.15, consider updating to a newer version that contains a fix for this issue, if available. As a temporary workaround, consider restricting access to the `resolveShims` function in `resolve-shims.js` to minimize the risk of exploitation. Avoid using the `fullPath` variable in the affected `resolve-shims.js` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** webpack loader-utils version 2.0.0 webpack loader-utils versions prior to 1.4.2 webpack loader-utils versions prior to 2.0.4 webpack loader-utils versions prior to 3.2.1 **Description** A Regular expression denial of service (ReDoS) flaw was found in the `interpolateName` function in `interpolateName.js` in webpack loader-utils via the `url` variable. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. **Recommendations** For version 2.0.0, update to version 2.0.4 or later to resolve the issue. For versions prior to 1.4.2, update to version 1.4.2 or later to resolve the issue. For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `interpolateName` function in `interpolateName.js` until a patch is applied. Avoid using the `url` variable in the affected `interpolateName.js` file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** karma-runner grunt-karma version 4.0.1 **Description** The issue is related to a prototype pollution vulnerability in the karma-runner grunt-karma. It occurs via the `key` variable in `grunt-karma.js`. **Recommendations** For version 4.0.1, consider restricting access to the `grunt-karma.js` file or the `key` variable until a patch is available. As a temporary workaround, avoid using the `key` variable in the affected `grunt-karma.js` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** mockery.js (affected versions not specified) **Description** The issue is related to a prototype pollution vulnerability in the `enable` function of `mockery.js`, specifically in the `mfncooper` `mockery` commit `822f0566fd6d72af8c943ae5ca2aa92e516aa2cf`. This vulnerability is exploited via the `key` variable in `mockery.js`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tschaub gh-pages version 3.1.0 **Description** The issue is related to a prototype pollution vulnerability. It is exploited via the `partial` variable in util.js. **Recommendations** For tschaub gh-pages version 3.1.0, consider restricting access to the `partial` variable in util.js to minimize the risk of exploitation. As a temporary workaround, avoid using the `partial` variable in util.js until a patch is available.

**Name of the Vulnerable Software and Affected Versions** @xmldom/xmldom versions prior to 0.8.3 **Description** A prototype pollution vulnerability exists in the function copy in dom.js via the `p` variable. This issue is disputed by the vendor and some third parties, with attempts to create a proof of concept being unsuccessful. **Recommendations** Update to @xmldom/xmldom@~0.7.6, @xmldom/xmldom@~0.8.3, or @xmldom/xmldom@>=0.9.0-beta.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** thlorenz browserify-shim version 3.8.15 **Description** The issue is related to a prototype pollution vulnerability in the `resolveShims` function within the resolve-shims.js file of thlorenz browserify-shim. This vulnerability is exploited via the `k` variable in resolve-shims.js. **Recommendations** For thlorenz browserify-shim version 3.8.15, consider disabling the `resolveShims` function as a temporary workaround until a patch is available. Restrict access to the resolve-shims.js file to minimize the risk of exploitation. Avoid using the `k` variable in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** js-beautify version 1.13.7 **Description** The issue is related to a prototype pollution vulnerability. It affects the js-beautify library, specifically via the `name` variable in options.js. **Recommendations** For js-beautify version 1.13.7, consider restricting access to the `name` variable in options.js to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** A Regular Expression Denial of Service (ReDoS) flaw was found in the software via the `string` variable in `babel.js`. This issue can cause a denial of service. **Recommendations** For version 2.2.4, consider restricting access to the `babel.js` file or disabling the use of the `string` variable until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** The issue is related to a prototype pollution vulnerability in stealjs steal, specifically via the `alias` variable in babel.js. This vulnerability can be exploited, but details about the estimated number of potentially affected devices worldwide or real-world incidents are not provided. **Recommendations** For stealjs steal version 2.2.4, consider disabling the `alias` variable in babel.js as a temporary workaround until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `alias` variable in the affected configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** The issue is related to a prototype pollution vulnerability in the `convertLater` function in `npm-convert.js` via the `packageName` variable. **Recommendations** For stealjs steal version 2.2.4, consider disabling the `convertLater` function until a patch is available. Restrict access to the `npm-convert.js` module to minimize the risk of exploitation. Avoid using the `packageName` variable in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** A Regular Expression Denial of Service (ReDoS) flaw was found in the `source` and `sourceWithComments` variables in main.js. This issue can cause a denial of service. **Recommendations** For version 2.2.4, consider restricting access to the `source` and `sourceWithComments` variables in main.js to minimize the risk of exploitation. Avoid using these variables until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** The issue is related to a prototype pollution vulnerability in the `extend` function in `babel.js` within `stealjs steal`. This vulnerability is exploited via the `key` variable in `babel.js`. **Recommendations** For version 2.2.4, consider disabling the `extend` function in `babel.js` as a temporary workaround until a patch is available. Restrict access to the `key` variable in the affected `babel.js` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** The issue is related to a prototype pollution vulnerability in the `convertLater` function in `npm-convert.js`. This vulnerability is exploited via the `requestedVersion` variable in `npm-convert.js`. **Recommendations** For stealjs steal version 2.2.4, consider disabling the `convertLater` function as a temporary workaround until a patch is available. Restrict access to the `npm-convert.js` file to minimize the risk of exploitation. Avoid using the `requestedVersion` variable in the affected `convertLater` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** A Regular Expression Denial of Service (ReDoS) flaw was found in the input variable in main.js. This issue can cause a denial of service. **Recommendations** For version 2.2.4, consider restricting the input to prevent exploitation of the ReDoS flaw until a patch is available. As a temporary workaround, avoid using the `input` variable in main.js to minimize the risk of denial of service.

**Name of the Vulnerable Software and Affected Versions** stealjs steal version 2.2.4 **Description** The issue is related to a prototype pollution vulnerability. It affects stealjs steal via the `optionName` variable in main.js. **Recommendations** For stealjs steal version 2.2.4, consider restricting access to the `optionName` variable in main.js to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.