• pkg:npm/%40babel%2Fruntime@7.26.0   (Confidence:Highest)

GHSA-968p-4wvh-cqc8 (NPM)  suppress

### Impact

When using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).

Your generated code is vulnerable if _all_ the following conditions are true:
- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)
- You use the `.replace` method on a regular expression that contains named capturing groups
- **Your code uses untrusted strings as the second argument of `.replace`**

If you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:
- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).


### Patches

This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

### Workarounds

If you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$<` if it's then not followed by `>` (possibly with other characters in between).

### References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

• Base Score: MEDIUM (6.199999809265137)
• Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

• Severity: moderate

• NPM Advisory reference: - https://github.com/advisories/GHSA-968p-4wvh-cqc8
• NPM Advisory reference: - https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4
• NPM Advisory reference: - https://github.com/babel/babel/pull/17173
• NPM Advisory reference: - https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-27789

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@babel\/runtime:\<7.26.10:*:*:*:*:*:*:*

• pkg:npm/%40parcel%2Freporter-dev-server@2.16.3   (Confidence:Highest)

GHSA-qm9p-f9j5-w83w (NPM)  suppress

parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

• Base Score: MEDIUM (6.5)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

• Severity: moderate

• NPM Advisory reference: - https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8
• NPM Advisory reference: - https://github.com/advisories/GHSA-qm9p-f9j5-w83w
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/discussions/10089
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/issues/10216
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/pull/10138
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-56648

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@parcel\/reporter-dev-server:\>\=1.6.1\<\=2.16.3:*:*:*:*:*:*:*

• pkg:npm/ajv@4.11.8   (Confidence:Highest)

GHSA-v88g-cgmw-v5xw (NPM)  suppress

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

• Base Score: MEDIUM (5.599999904632568)
• Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

• Severity: moderate

• NPM Advisory reference: - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/tags
• NPM Advisory reference: - https://hackerone.com/bugs?subject=user&report_id=894259
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-15366
• NPM Advisory reference: - https://security.netapp.com/advisory/ntap-20240621-0007

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:ajv:\<6.12.3:*:*:*:*:*:*:*

• pkg:npm/brace-expansion@1.1.11   (Confidence:Highest)

GHSA-v6h2-p8h4-qcjw (NPM)  suppress

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component.

• Base Score: LOW (3.0999999046325684)
• Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

• Severity: low

• NPM Advisory reference: - https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
• NPM Advisory reference: - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-5889
• NPM Advisory reference: - https://vuldb.com/?ctiid.311660
• NPM Advisory reference: - https://vuldb.com/?id.311660
• NPM Advisory reference: - https://vuldb.com/?submit.585717

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:brace-expansion:\>\=1.0.0\<\=1.1.11:*:*:*:*:*:*:*

• pkg:npm/js-yaml@4.1.0   (Confidence:Highest)

GHSA-mh29-5h37-fv8m (NPM)  suppress

### Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.

### Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

### Workarounds

You can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

### References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

• Base Score: MEDIUM (5.300000190734863)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

• Severity: moderate

• NPM Advisory reference: - https://github.com/advisories/GHSA-mh29-5h37-fv8m
• NPM Advisory reference: - https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
• NPM Advisory reference: - https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266
• NPM Advisory reference: - https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-64718

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:js-yaml:\>\=4.0.0\<4.1.1:*:*:*:*:*:*:*

• pkg:npm/qs@6.13.0   (Confidence:Highest)

GHSA-6rw7-vpxm-498p (NPM)  suppress

### Summary

The `arrayLimit` option in qs does not enforce limits for bracket notation (`a[]=1&a[]=2`), allowing attackers to cause denial-of-service via memory exhaustion. Applications using `arrayLimit` for DoS protection are vulnerable.

### Details

The `arrayLimit` option only checks limits for indexed notation (`a[0]=1&a[1]=2`) but completely bypasses it for bracket notation (`a[]=1&a[]=2`).

**Vulnerable code** (`lib/parse.js:159-162`):
```javascript
if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}
```

**Working code** (`lib/parse.js:175`):
```javascript
else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}
```

The bracket notation handler at line 159 uses `utils.combine([], leaf)` without validating against `options.arrayLimit`, while indexed notation at line 175 checks `index <= options.arrayLimit` before creating arrays.

### PoC

**Test 1 - Basic bypass:**
```bash
npm install qs
```

```javascript
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)
```

**Test 2 - DoS demonstration:**
```javascript
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)
```

**Configuration:**
- `arrayLimit: 5` (test 1) or `arrayLimit: 100` (test 2)
- Use bracket notation: `a[]=value` (not indexed `a[0]=value`)

### Impact

Denial of Service via memory exhaustion. Affects applications using `qs.parse()` with user-controlled input and `arrayLimit` for protection.

**Attack scenario:**
1. Attacker sends HTTP request: `GET /api/search?filters[]=x&filters[]=x&...&filters[]=x` (100,000+ times)
2. Application parses with `qs.parse(query, { arrayLimit: 100 })`
3. qs ignores limit, parses all 100,000 elements into array
4. Server memory exhausted → application crashes or becomes unresponsive
5. Service unavailable for all users

**Real-world impact:**
- Single malicious request can crash server
- No authentication required
- Easy to automate and scale
- Affects any endpoint parsing query strings with bracket notation

### Suggested Fix

Add `arrayLimit` validation to the bracket notation handler. The code already calculates `currentArrayLength` at line 147-151, but it's not used in the bracket notation handler at line 159.

**Current code** (`lib/parse.js:159-162`):
```javascript
if (root === '[]' && options.parseArrays) {
    obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
        ? []
        : utils.combine([], leaf);  // No arrayLimit check
}
```

**Fixed code**:
```javascript
if (root === '[]' && options.parseArrays) {
    // Use currentArrayLength already calculated at line 147-151
    if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
        throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
    }
    
    // If limit exceeded and not throwing, convert to object (consistent with indexed notation behavior)
    if (currentArrayLength >= options.arrayLimit) {
        obj = options.plainObjects ? { __proto__: null } : {};
        obj[currentArrayLength] = leaf;
    } else {
        obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
            ? []
            : utils.combine([], leaf);
    }
}
```

This makes bracket notation behaviour consistent with indexed notation, enforcing `arrayLimit` and converting to object when limit is exceeded (per README documentation).

• Base Score: HIGH (7.5)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-6rw7-vpxm-498p
• NPM Advisory reference: - https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9
• NPM Advisory reference: - https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-15284

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:qs:\<6.14.1:*:*:*:*:*:*:*