Skip to content

[Aikido] - Fix 2 critical issues in constantinople, minimist and 32 other issues#23

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-9095531-1U5f
Open

[Aikido] - Fix 2 critical issues in constantinople, minimist and 32 other issues#23
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-9095531-1U5f

Conversation

@aikido-autofix

Copy link
Copy Markdown

This PR will resolve the following CVEs:

CVE ID Severity Description
GHSA-4vmm-mhcq-4x9j
🚨 CRITICAL
Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution.


## Recommendation

Update to version 3.1.1 or later.
CVE-2021-44906
🚨 CRITICAL
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2023-22578
🚨 CRITICAL
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
CVE-2023-22579
HIGH
Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.
CVE-2023-22580
HIGH
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.
CVE-2022-24999
HIGH
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query strin...
CVE-2024-45590
HIGH
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1....
CVE-2025-27152
HIGH
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impac
CVE-2025-58754
HIGH
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a...
CVE-2023-45857
MEDIUM
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
AIKIDO-2025-10185
MEDIUM
Affected versions of this package are vulnerable to server-side request forgery (SSRF) because allowAbsoluteUrls is not set to false by default when processing URLs in buildFullPath(). This unsafe default may lead to unintended URL acceptance, allowing attackers to bypass expected restrictions...
CVE-2020-28168
MEDIUM
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
AIKIDO-2023-10001
LOW
Several security vulnerabilities were quietly patched in axios version 1.6.4 and version 0.29.0. Notably, a prototype pollution flaw impacted the formDataToJSON function, posing a significant risk. Additionally, a Regular Expression Denial of Service (ReDoS) vulnerability was identified and fixe...
CVE-2021-3749
LOW
axios is vulnerable to Inefficient Regular Expression Complexity
CVE-2023-26132
HIGH
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.
CVE-2022-31129
HIGH
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quad...
CVE-2024-28849
MEDIUM
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...
CVE-2023-26159
MEDIUM
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect...
CVE-2022-0536
MEDIUM
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

CVE-2024-29041
MEDIUM
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode...
CVE-2024-43796
MEDIUM
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
GHSA-v78c-4p63-2j6c
MEDIUM
### Impact

* if Alice uses grunt data (or grunt release) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website
* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone ...
GHSA-56x4-j7p9-fcf9
LOW
### Impact

All versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.

* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via grunt data:2014d, where 2014d stands for the version of the tzdata to be used from IANA's website),
...
CVE-2024-43799
MEDIUM
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
AIKIDO-2024-10253
MEDIUM
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via the redirect function due to improper sanitization of user input.
CVE-2024-43800
MEDIUM
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
AIKIDO-2024-10254
LOW
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via the redirect function due to improper sanitization of user input.
AIKIDO-2024-10181
LOW
The patched version adds a strict option to detect potential ReDoS issues. A bad regular expression is generated whenever two parameters within a single segment are separated by something other than a period (.). For example, /:a-:b.
CVE-2024-45296
LOW
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loo...
CVE-2024-52798
LOW
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade ...
CVE-2022-25883
LOW
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVE-2024-47764
LOW
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7....
CVE-2025-7339
LOW
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions <1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead(). Users should upgrade to version 1.1.0 to receive a patch. Uses are
CVE-2020-28500
LOW
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Oct 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants