Skip to content

CVEs #2930

New issue
New issue
Open
Open
CVEs#2930
@mvanmeerbeck

Description

@mvanmeerbeck
mvanmeerbeck
opened on Oct 3, 2025

Hi, here a list of CVEs that should be fixed (prod dependencies / severity >= moderate), run with:

yarn npm audit --all --recursive --environment production --severity moderate

CVE Origin Solution
@nestjs/common @subql/query upgrade nest
axios @subql/network-clients move to dev dependencies
elliptic @subql/network-clients i don't know
ip @subql/cli > websocket no fix yet
json5 @subql/query > postgraphile upgrade postgraphile
multer @subql/node > @nestjs/platform-express upgrade nest
path-to-regexp @subql/query > @nestjs/platform-express > express upgrade nest
semver could not find n/a
tar @subql/cli > websocket no fix yet
vm2 @subql/node-core already known
ws @subql/query > postgraphile upgrade postgraphile 
├─ @nestjs/common: 9.4.3
│  ├─ Issue: nest allows a remote attacker to execute arbitrary code via the Content-Type header
│  ├─ URL: https://github.com/advisories/GHSA-cj7v-w2c7-cp7c
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <10.4.16
│  ├─ Patched Versions: >=10.4.16
│  ├─ Via: @nestjs/common, @nestjs/core, @nestjs/platform-express
│  └─ Recommendation: Upgrade to version 10.4.16 or later
│
├─ axios: 0.28.0
│  ├─ Issue: Axios is vulnerable to DoS attack through lack of data size check
│  ├─ URL: https://github.com/advisories/GHSA-4hjh-wcwx-xvwj
│  ├─ Severity: high
│  ├─ Vulnerable Versions: <0.30.2
│  ├─ Patched Versions: >=0.30.2
│  ├─ Via: axios, @subql/network-clients
│  └─ Recommendation: Upgrade to version 0.30.2 or later
│
├─ elliptic: 6.5.4
│  ├─ Issue: Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
│  ├─ URL: https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
│  ├─ Severity: critical
│  ├─ Vulnerable Versions: <=6.6.0
│  ├─ Patched Versions: >=6.6.1
│  ├─ Via: @subql/network-clients
│  └─ Recommendation: Upgrade to version 6.6.1 or later
│
├─ form-data: 4.0.1
│  ├─ Issue: form-data uses unsafe random function in form-data for choosing boundary
│  ├─ URL: https://github.com/advisories/GHSA-fjxv-7rqg-78g4
│  ├─ Severity: critical
│  ├─ Vulnerable Versions: >=4.0.0 <4.0.4
│  ├─ Patched Versions: >=4.0.4
│  ├─ Via: form-data, axios, @subql/network-clients
│  └─ Recommendation: Upgrade to version 4.0.4 or later
│
├─ ip: 1.1.9
│  ├─ Issue: ip SSRF improper categorization in isPublic
│  ├─ URL: https://github.com/advisories/GHSA-2p57-rm9w-gvfp
│  ├─ Severity: high
│  ├─ Vulnerable Versions: <=2.0.1
│  ├─ Patched Versions: <0.0.0
│  ├─ Via: websocket
│  └─ Recommendation: None
│
├─ json5: 2.2.1
│  ├─ Issue: Prototype Pollution in JSON5 via Parse Method
│  ├─ URL: https://github.com/advisories/GHSA-9c47-m6qq-7p4h
│  ├─ Severity: high
│  ├─ Vulnerable Versions: >=2.0.0 <2.2.2
│  ├─ Patched Versions: >=2.2.2
│  ├─ Via: json5, postgraphile, tsconfig-paths-webpack-plugin
│  └─ Recommendation: Upgrade to version 2.2.2 or later
│
├─ multer: 1.4.4-lts.1
│  ├─ Issue: Multer vulnerable to Denial of Service via unhandled exception from malformed request
│  ├─ URL: https://github.com/advisories/GHSA-fjgf-rc76-4x9p
│  ├─ Severity: high
│  ├─ Vulnerable Versions: >=1.4.4-lts.1 <2.0.2
│  ├─ Patched Versions: >=2.0.2
│  ├─ Via: @nestjs/platform-express, @nestjs/core
│  └─ Recommendation: Upgrade to version 2.0.2 or later
│
├─ path-to-regexp: 0.1.7
│  ├─ Issue: path-to-regexp contains a ReDoS
│  ├─ URL: https://github.com/advisories/GHSA-rhx6-c78j-4q9w
│  ├─ Severity: high
│  ├─ Vulnerable Versions: <0.1.12
│  ├─ Patched Versions: >=0.1.12
│  ├─ Via: @nestjs/core, @nestjs/platform-express, @modelcontextprotocol/sdk
│  └─ Recommendation: Upgrade to version 0.1.12 or later
│
├─ semver: 7.0.0
│  ├─ Issue: semver vulnerable to Regular Expression Denial of Service
│  ├─ URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
│  ├─ Severity: high
│  ├─ Vulnerable Versions: >=7.0.0 <7.5.2
│  ├─ Patched Versions: >=7.5.2
│  ├─ Via: semver, @oclif/core, update-notifier, @graphile/pg-pubsub, websocket
│  └─ Recommendation: Upgrade to version 7.5.2 or later
│
├─ tar: 6.1.11
│  ├─ Issue: Denial of service while parsing a tar file due to lack of folders count validation
│  ├─ URL: https://github.com/advisories/GHSA-f5x3-32g6-xq36
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <6.2.1
│  ├─ Patched Versions: >=6.2.1
│  ├─ Via: tar, websocket
│  └─ Recommendation: Upgrade to version 6.2.1 or later
│
├─ vm2: 3.9.19
│  ├─ Issue: vm2 Sandbox Escape vulnerability
│  ├─ URL: https://github.com/advisories/GHSA-g644-9gfx-q4q4
│  ├─ Severity: critical
│  ├─ Vulnerable Versions: <=3.9.19
│  ├─ Patched Versions: <0.0.0
│  ├─ Via: vm2
│  └─ Recommendation: None
│
└─ ws: 7.5.7
   ├─ Issue: ws affected by a DoS when handling a request with many HTTP headers
   ├─ URL: https://github.com/advisories/GHSA-3h5v-q93c-6h6q
   ├─ Severity: high
   ├─ Vulnerable Versions: >=7.0.0 <7.5.10
   ├─ Patched Versions: >=7.5.10
   ├─ Via: ws, postgraphile, @walletconnect/utils, @subql/network-clients, @walletconnect/sign-client, @polkadot/api
   └─ Recommendation: Upgrade to version 7.5.10 or later

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions