it-tools
it-tools copied to clipboard
Published
20 hours ago •
CorentinTh
CorentinTh
[security] vulnerable npm dependencies
trafficstars
Describe the bug
Hi @CorentinTh
trivy security scanner reports vulnerable npm dependencies in this project, including 1 critical:
crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard
I am unsure if this directly affects the key generation features of it-tools.
Still, it would be great if you could update the project's dependencies and create a new release.
(the lack of "recent" commits also hampers the addition of it-tools to awesome-selfhosted)
What happened?
wget https://github.com/aquasecurity/trivy/releases/download/v0.59.0/trivy_0.59.0_Linux-64bit.tar.gz
tar -zxvf trivy_0.59.0_Linux-64bit.tar.gz
cd trivy_0.59.0_Linux-64bit/
$ ./trivy repo https://github.com/CorentinTh/it-tools
2025-04-03T22:10:49+02:00 INFO [vulndb] Need to update DB
2025-04-03T22:10:49+02:00 INFO [vulndb] Downloading vulnerability DB...
2025-04-03T22:10:49+02:00 INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
61.92 MiB / 61.92 MiB [-------------------------------------------------] 100.00% 19.26 MiB p/s 3.4s
2025-04-03T22:10:53+02:00 INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-04-03T22:10:53+02:00 INFO [vuln] Vulnerability scanning is enabled
2025-04-03T22:10:53+02:00 INFO [secret] Secret scanning is enabled
2025-04-03T22:10:53+02:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-03T22:10:53+02:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
Enumerating objects: 3357, done.
Counting objects: 100% (3357/3357), done.
Compressing objects: 100% (2238/2238), done.
Total 3357 (delta 1526), reused 2531 (delta 1046), pack-reused 0 (from 0)
2025-04-03T22:10:55+02:00 INFO [pnpm] To collect the license information of packages, "pnpm install" needs to be performed beforehand dir="node_modules"
2025-04-03T22:10:55+02:00 INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-04-03T22:10:55+02:00 INFO Number of language-specific files num=1
2025-04-03T22:10:55+02:00 INFO [pnpm] Detecting vulnerabilities...
pnpm-lock.yaml (pnpm)
Total: 19 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 6, CRITICAL: 1)
┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @babel/helpers │ CVE-2025-27789 │ MEDIUM │ fixed │ 7.23.2 │ 7.26.10, 8.0.0-alpha.17 │ Babel is a compiler for writing next generation JavaScript. │
│ │ │ │ │ │ │ When using ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27789 │
├───────────────────────┤ │ │ ├───────────────────┤ │ │
│ @babel/runtime │ │ │ │ 7.22.10 │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ ├───────────────────┤ │ │
│ │ │ │ │ 7.23.2 │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├───────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @intlify/core-base │ CVE-2024-52809 │ │ │ 9.9.1 │ 9.14.2, 10.0.5 │ vue-i18n has cross-site scripting vulnerability with │
│ │ │ │ │ │ │ prototype pollution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-52809 │
├───────────────────────┼────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ @intlify/shared │ CVE-2024-52810 │ │ │ │ │ @intlify/shared Prototype Pollution vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-52810 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ braces │ CVE-2024-4068 │ HIGH │ │ 3.0.2 │ 3.0.3 │ braces: fails to limit the number of characters it can │
│ │ │ │ │ │ │ handle │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4068 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ crypto-js │ CVE-2023-46233 │ CRITICAL │ │ 4.1.1 │ 4.2.0 │ crypto-js: PBKDF2 1,000 times weaker than specified in 1993 │
│ │ │ │ │ │ │ and 1.3M times... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46233 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ dompurify │ CVE-2024-45801 │ HIGH │ │ 3.0.6 │ 2.5.4, 3.1.3 │ dompurify: XSS vulnerability via prototype pollution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45801 │
│ ├────────────────┤ │ │ ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-47875 │ │ │ │ 2.5.0, 3.1.3 │ dompurify: nesting-based mutation XSS vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-47875 │
│ ├────────────────┼──────────┤ │ ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-26791 │ MEDIUM │ │ │ 3.2.4 │ dompurify: Mutation XSS in DOMPurify Due to Improper │
│ │ │ │ │ │ │ Template Literal Handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-26791 │
├───────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ micromatch │ CVE-2024-4067 │ │ │ 4.0.5 │ 4.0.8 │ micromatch: vulnerable to Regular Expression Denial of │
│ │ │ │ │ │ │ Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4067 │
├───────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nanoid │ CVE-2024-55565 │ │ │ 3.3.6 │ 5.0.9, 3.3.8 │ nanoid: nanoid mishandles non-integer values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-55565 │
├───────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ postcss │ CVE-2023-44270 │ │ │ 8.4.28 │ 8.4.31 │ PostCSS: Improper input validation in PostCSS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44270 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ semver │ CVE-2022-25883 │ HIGH │ │ 7.5.1 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │
├───────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vue-i18n │ CVE-2025-27597 │ │ │ 9.9.1 │ 9.14.3, 10.0.6, 11.1.2 │ Vue I18n Allows Prototype Pollution in `handleFlatJson` │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27597 │
│ ├────────────────┼──────────┤ │ ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-52809 │ MEDIUM │ │ │ 9.14.2, 10.0.5 │ vue-i18n has cross-site scripting vulnerability with │
│ │ │ │ │ │ │ prototype pollution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-52809 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-52810 │ │ │ │ │ @intlify/shared Prototype Pollution vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-52810 │
├───────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vue-template-compiler │ CVE-2024-6783 │ │ │ 2.7.14 │ 3.0.0 │ vue-template-compiler vulnerable to client-side Cross-Site │
│ │ │ │ │ │ │ Scripting (XSS) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-6783 │
├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ yaml │ CVE-2023-2251 │ HIGH │ │ 2.2.1 │ 2.2.2 │ Uncaught Exception in GitHub repository eemeli/yaml prior to │
│ │ │ │ │ │ │ 2.0.0-5. │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2251 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────┴──────────────────────────────────────────────────────────────┘
src/tools/jwt-parser/jwt-parser.vue (secrets)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
### System information
Debian 12
### Where did you encounter the bug?
Other (installations, docker, etc.)
Hi @nodiscc , updated also other packages in my fork, and no critical (one high remains but not used) : https://github.com/sharevb/it-tools
No acknowledgement of a possible security issue after 2 months? Concerning (absence of) basic security policy
Hi @nodiscc , it should be fixed in my fork
And if you are interested in an up to date version of it-tools, with many improvements, new tools, and bug fixes, as this repo is almost no more maintained, I made a fork here : https://github.com/sharevb/it-tools (https://sharevb-it-tools.vercel.app/ and docker images https://github.com/sharevb/it-tools/pkgs/container/it-tools)