WS-2018-0588 (High) detected in querystringify-1.0.0.tgz, querystringify-0.0.4.tgz

[mend-bolt-for-github]

WS-2018-0588 - High Severity Vulnerability

Vulnerable Libraries - querystringify-1.0.0.tgz, querystringify-0.0.4.tgz

querystringify-1.0.0.tgz

Querystringify - Small, simple but powerful query string parser.

Library home page: https://registry.npmjs.org/querystringify/-/querystringify-1.0.0.tgz

Path to dependency file: /react-kanban/package.json

Path to vulnerable library: react-kanban/node_modules/url-parse/node_modules/querystringify/package.json

Dependency Hierarchy:

• react-scripts-1.1.1.tgz (Root Library)
  • react-dev-utils-5.0.0.tgz
    • sockjs-client-1.1.4.tgz
      • url-parse-1.2.0.tgz
        • ❌ querystringify-1.0.0.tgz (Vulnerable Library)

querystringify-0.0.4.tgz

Querystringify - Small, simple but powerful query string parser.

Library home page: https://registry.npmjs.org/querystringify/-/querystringify-0.0.4.tgz

Path to dependency file: /react-kanban/package.json

Path to vulnerable library: react-kanban/node_modules/querystringify/package.json

Dependency Hierarchy:

• react-scripts-1.1.1.tgz (Root Library)
  • react-dev-utils-5.0.0.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • url-parse-1.0.5.tgz
            • ❌ querystringify-0.0.4.tgz (Vulnerable Library)

Vulnerability Details

A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.

Publish Date: 2018-04-19

URL: WS-2018-0588

CVSS 2 Score Details (7.6)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: unshiftio/querystringify@422eb4f

Release Date: 2019-06-04

Fix Resolution: 2.0.0

---

Step up your Open Source Security Game with WhiteSource here