frontend-1.3.1.tgz: 5 vulnerabilities (highest severity is: 7.5) #274
Description
Vulnerable Library - frontend-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/vite/package.json,/package.json
Found in HEAD commit: d7291cdc995ec80e4b184d3be7cbfe24f0ab800b
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (frontend version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-64756 |  High |
7.5 | Not Defined | 0.0% | glob-10.4.1.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-62522 |  Medium |
6.5 | Not Defined | 0.1% | vite-5.4.19.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-66400 | Medium |
5.3 | Not Defined | 0.1% | mdast-util-to-hast-13.2.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-58752 | Medium |
5.3 | Not Defined | 0.0% | vite-5.4.19.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-58751 | Medium |
5.3 | Not Defined | 2.1% | vite-5.4.19.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-64756
Vulnerable Library - glob-10.4.1.tgz
Library home page: https://registry.npmjs.org/glob/-/glob-10.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@vonage/vcr-sdk/node_modules/glob/package.json,/node_modules/sucrase/node_modules/glob/package.json,/package.json
Dependency Hierarchy:
- frontend-1.3.1.tgz (Root Library)
- tailwindcss-3.4.14.tgz
- sucrase-3.35.0.tgz
- ❌ glob-10.4.1.tgz (Vulnerable Library)
- sucrase-3.35.0.tgz
- tailwindcss-3.4.14.tgz
Found in HEAD commit: d7291cdc995ec80e4b184d3be7cbfe24f0ab800b
Found in base branch: main
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-11-17
URL: CVE-2025-64756
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: 2025-11-17
Fix Resolution: https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
CVE-2025-62522
Vulnerable Library - vite-5.4.19.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/vite/package.json,/package.json
Dependency Hierarchy:
- frontend-1.3.1.tgz (Root Library)
- ❌ vite-5.4.19.tgz (Vulnerable Library)
Found in HEAD commit: d7291cdc995ec80e4b184d3be7cbfe24f0ab800b
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Publish Date: 2025-10-20
URL: CVE-2025-62522
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-93m4-6634-74q7
Release Date: 2025-10-20
Fix Resolution: vite - 7.0.8,vite - 5.4.21,vite - 7.1.11,vite - 6.4.1
CVE-2025-66400
Vulnerable Library - mdast-util-to-hast-13.2.0.tgz
Library home page: https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mdast-util-to-hast/package.json,/package.json
Dependency Hierarchy:
- frontend-1.3.1.tgz (Root Library)
- typedoc-0.26.10.tgz
- shiki-1.22.2.tgz
- core-1.22.2.tgz
- hast-util-to-html-9.0.3.tgz
- ❌ mdast-util-to-hast-13.2.0.tgz (Vulnerable Library)
- hast-util-to-html-9.0.3.tgz
- core-1.22.2.tgz
- shiki-1.22.2.tgz
- typedoc-0.26.10.tgz
Found in HEAD commit: d7291cdc995ec80e4b184d3be7cbfe24f0ab800b
Found in base branch: main
Vulnerability Details
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
Publish Date: 2025-12-01
URL: CVE-2025-66400
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-01
Fix Resolution: https://github.com/syntax-tree/mdast-util-to-hast.git - 13.2.1
CVE-2025-58752
Vulnerable Library - vite-5.4.19.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/vite/package.json,/package.json
Dependency Hierarchy:
- frontend-1.3.1.tgz (Root Library)
- ❌ vite-5.4.19.tgz (Vulnerable Library)
Found in HEAD commit: d7291cdc995ec80e4b184d3be7cbfe24f0ab800b
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use "appType: 'spa'" (default) or "appType: 'mpa'" are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58752
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-jqfw-vq24-v9c3
Release Date: 2025-09-08
Fix Resolution: vite - 5.4.20,vite - 7.1.5,vite - 7.0.7,vite - 6.3.6,https://github.com/vitejs/vite.git - v6.3.6,https://github.com/vitejs/vite.git - v5.4.20,https://github.com/vitejs/vite.git - v7.0.7,https://github.com/vitejs/vite.git - v7.1.5
CVE-2025-58751
Vulnerable Library - vite-5.4.19.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-5.4.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/vite/package.json,/package.json
Dependency Hierarchy:
- frontend-1.3.1.tgz (Root Library)
- ❌ vite-5.4.19.tgz (Vulnerable Library)
Found in HEAD commit: d7291cdc995ec80e4b184d3be7cbfe24f0ab800b
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or "server.host" config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58751
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g4jq-h2w9-997c
Release Date: 2025-09-08
Fix Resolution: vite - 7.1.5,vite - 6.3.6,vite - 5.4.20,vite - 7.0.7