• pkg:npm/%40babel%2Fruntime@7.26.0   (Confidence:Highest)

GHSA-968p-4wvh-cqc8 (NPM)  suppress

### Impact

When using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).

Your generated code is vulnerable if _all_ the following conditions are true:
- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)
- You use the `.replace` method on a regular expression that contains named capturing groups
- **Your code uses untrusted strings as the second argument of `.replace`**

If you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:
- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).


### Patches

This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

### Workarounds

If you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$<` if it's then not followed by `>` (possibly with other characters in between).

### References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

• Base Score: MEDIUM (6.199999809265137)
• Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

• Severity: moderate

• NPM Advisory reference: - https://github.com/advisories/GHSA-968p-4wvh-cqc8
• NPM Advisory reference: - https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4
• NPM Advisory reference: - https://github.com/babel/babel/pull/17173
• NPM Advisory reference: - https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-27789

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@babel\/runtime:\<7.26.10:*:*:*:*:*:*:*

• pkg:npm/%40parcel%2Freporter-dev-server@2.16.3   (Confidence:Highest)

GHSA-qm9p-f9j5-w83w (NPM)  suppress

parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

• Base Score: MEDIUM (6.5)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

• Severity: moderate

• NPM Advisory reference: - https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8
• NPM Advisory reference: - https://github.com/advisories/GHSA-qm9p-f9j5-w83w
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/discussions/10089
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/issues/10216
• NPM Advisory reference: - https://github.com/parcel-bundler/parcel/pull/10138
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-56648

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@parcel\/reporter-dev-server:\>\=1.6.1\<\=2.16.3:*:*:*:*:*:*:*

• pkg:npm/brace-expansion@1.1.11   (Confidence:Highest)

GHSA-v6h2-p8h4-qcjw (NPM)  suppress

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component.

• Base Score: LOW (3.0999999046325684)
• Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

• Severity: low

• NPM Advisory reference: - https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
• NPM Advisory reference: - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217
• NPM Advisory reference: - https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-5889
• NPM Advisory reference: - https://vuldb.com/?ctiid.311660
• NPM Advisory reference: - https://vuldb.com/?id.311660
• NPM Advisory reference: - https://vuldb.com/?submit.585717

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:brace-expansion:\>\=1.0.0\<\=1.1.11:*:*:*:*:*:*:*

• pkg:javascript/moment.js@2.19.4   (Confidence:Highest)

CVE-2022-24785  suppress

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

• Base Score: HIGH (7.5)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:3.9/RC:R/MAV:A

• Base Score: MEDIUM (5.0)
• Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N

• af854a3a-2127-422b-91ae-364da2661108 - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
• af854a3a-2127-422b-91ae-364da2661108 - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
• af854a3a-2127-422b-91ae-364da2661108 - https://security.netapp.com/advisory/ntap-20241108-0002/
• af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - PATCH
• af854a3a-2127-422b-91ae-364da2661108 - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - VENDOR_ADVISORY
• info - https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
• security-advisories@github.com - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
• security-advisories@github.com - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
• security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY
• security-advisories@github.com - PATCH
• security-advisories@github.com - PATCH,RELEASE_NOTES,THIRD_PARTY_ADVISORY
• security-advisories@github.com - THIRD_PARTY_ADVISORY
• security-advisories@github.com - VENDOR_ADVISORY

Vulnerable Software & Versions (NVD):

• cpe:2.3:a:momentjs:moment:*:*:*:*:*:node.js:*:* versions from (including) 1.0.1; versions up to (excluding) 2.29.2
• cpe:2.3:a:momentjs:moment:*:*:*:*:*:nuget:*:* versions from (including) 1.0.1; versions up to (excluding) 2.29.2
• cpe:2.3:a:netapp:active_iq:-:*:*:*:*:*:*:*
• cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:* versions up to (excluding) 5.21.0

CVE-2022-31129  suppress

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

• Base Score: HIGH (7.5)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A

• Base Score: MEDIUM (5.0)
• Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

• af854a3a-2127-422b-91ae-364da2661108 - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
• af854a3a-2127-422b-91ae-364da2661108 - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/
• af854a3a-2127-422b-91ae-364da2661108 - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
• af854a3a-2127-422b-91ae-364da2661108 - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/
• af854a3a-2127-422b-91ae-364da2661108 - https://security.netapp.com/advisory/ntap-20241108-0002/
• af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - ISSUE_TRACKING,THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - MAILING_LIST,THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - PATCH,THIRD_PARTY_ADVISORY
• af854a3a-2127-422b-91ae-364da2661108 - THIRD_PARTY_ADVISORY
• info - https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
• info - https://security.snyk.io/vuln/SNYK-JS-MOMENT-2944238
• security-advisories@github.com - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/
• security-advisories@github.com - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/
• security-advisories@github.com - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/
• security-advisories@github.com - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/
• security-advisories@github.com - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY
• security-advisories@github.com - EXPLOIT,ISSUE_TRACKING,PATCH,THIRD_PARTY_ADVISORY
• security-advisories@github.com - ISSUE_TRACKING,THIRD_PARTY_ADVISORY
• security-advisories@github.com - MAILING_LIST,THIRD_PARTY_ADVISORY
• security-advisories@github.com - PATCH,THIRD_PARTY_ADVISORY
• security-advisories@github.com - THIRD_PARTY_ADVISORY

Vulnerable Software & Versions (NVD):

• cpe:2.3:a:momentjs:moment:*:*:*:*:*:node.js:*:* versions from (including) 2.18.0; versions up to (excluding) 2.29.4
• cpe:2.3:a:momentjs:moment:*:*:*:*:*:nuget:*:* versions from (including) 2.18.0; versions up to (excluding) 2.29.4