npm Alert
2276Warning Date
Severity Level
Warning Number
Target Sector
23 January, 2022
● High
2022-4264
All
npm has released security updates to address a vulnerability in the following products:
- log4js
- < 6.4.0
- Epubjs
- < 0.3.89
- node-fetch
- >= 3.0.0, < 3.1.1
- < 2.6.7
- colors
- >= 1.4.1
- nanoid
- < 3.1.31
Threats:
Attacker could exploit this vulnerability by:
- Cross-site scripting (XSS)
The CERT team encourages users to review npm security advisory and apply the necessary updates:
- Incorrect Default Permissions in log4js · CVE-2022-21704 · GitHub Advisory Database · GitHub
- Cross-site Scripting in epubjs · CVE-2021-33040 · GitHub Advisory Database · GitHub
- node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor · CVE-2022-0235 · GitHub Advisory Database · GitHub
- Infinite Loop in colors.js · CVE-2021-23567 · GitHub Advisory Database · GitHub
- Exposure of Sensitive Information to an Unauthorized Actor in nanoid · CVE-2021-23566 · GitHub Advisory Database · GitHub