WS-2018-0209 (Medium) detected in morgan-1.5.3.tgz
Closed this issue · 0 comments
mend-for-github-com commented
WS-2018-0209 - Medium Severity Vulnerability
Vulnerable Library - morgan-1.5.3.tgz
HTTP request logger middleware for node.js
Library home page: https://registry.npmjs.org/morgan/-/morgan-1.5.3.tgz
Path to dependency file: /tmp/ws-scm/cla-bot/package.json
Path to vulnerable library: /tmp/ws-scm/cla-bot/node_modules/morgan/package.json
Dependency Hierarchy:
- express-3.20.3.tgz (Root Library)
- connect-2.29.2.tgz
- ❌ morgan-1.5.3.tgz (Vulnerable Library)
- connect-2.29.2.tgz
Found in HEAD commit: 728af6547d8b346b13cb8e7fe8c30e8a0df3cbeb
Vulnerability Details
Morgan before 1.9.1 is vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.
Publish Date: 2018-11-25
URL: WS-2018-0209
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/735
Release Date: 2019-04-08
Fix Resolution: 1.9.1