GHSA-mh6f-8j2x-4483

Опубликовано: 26 нояб. 2018

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Critical severity vulnerability that affects event-stream and flatmap-stream

The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version.

Users of flatmap-stream are encouraged to remove the dependency entirely.

Ссылки

https://github.com/dominictarr/event-stream/issues/116
https://github.com/advisories/GHSA-mh6f-8j2x-4483

Пакеты

Наименование

event-stream

npm

Затронутые версииВерсия исправления

= 3.3.6

4.0.0

Наименование

flatmap-stream

npm

Затронутые версииВерсия исправления

Отсутствует

9.8 Critical

CVSS3

Дефекты

CWE-506

9.8 Critical

CVSS3

Дефекты

CWE-506