actions-toolkit-2.0.0.tgz: 9 vulnerabilities (highest severity is: 9.3) [main] (reachable) #20
Description
📂 Vulnerable Library - actions-toolkit-2.0.0.tgz
A toolkit for building GitHub Actions in Node.js
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-44906 | 🟣 Critical | 9.3 | Not Defined | < 1% | minimist-1.2.0.tgz | Transitive | N/A | ❌ |  Reachable |
| CVE-2021-44906 | 🟣 Critical | 9.3 | Not Defined | < 1% | minimist-0.0.8.tgz | Transitive | N/A | ❌ |  Unreachable |
| CVE-2022-3517 | 🔴 High | 8.7 | Not Defined | < 1% | minimatch-3.0.4.tgz | Transitive | N/A | ❌ | Unreachable |
| CVE-2020-8203 | 🔴 High | 8.3 | Not Defined | 2.4% | lodash.set-4.3.2.tgz | Transitive | N/A | ❌ | |
| CVE-2020-7598 | 🟠 Medium | 6.3 | Not Defined | < 1% | minimist-0.0.8.tgz | Transitive | N/A | ❌ | Unreachable |
| CVE-2020-7598 | 🟠 Medium | 6.3 | Not Defined | < 1% | minimist-1.2.0.tgz | Transitive | N/A | ❌ | Reachable |
| CVE-2022-0235 | 🟠 Medium | 5.3 | Not Defined | < 1% | node-fetch-2.6.0.tgz | Transitive | N/A | ❌ | Unreachable |
| CVE-2020-15168 | 🟡 Low | 2.1 | Not Defined | < 1% | node-fetch-2.6.0.tgz | Transitive | N/A | ❌ | Unreachable |
| CVE-2025-5889 | 🟡 Low | 1.3 | Proof of concept | < 1% | brace-expansion-1.1.11.tgz | Transitive | N/A | ❌ | Unreachable |
Details
🟣CVE-2021-44906
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
-
actions-toolkit-2.0.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
-
actions-toolkit-2.1.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- core-7.7.4.tgz
- json5-2.1.1.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- json5-2.1.1.tgz
- core-7.7.4.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🟣CVE-2021-44906
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
-
actions-toolkit-2.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- write-1.0.3.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- write-1.0.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- write-1.0.3.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- write-1.0.3.tgz
- flat-cache-2.0.1.tgz
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- core-24.9.0.tgz
- jest-haste-map-24.9.0.tgz
- fsevents-1.2.9.tgz
- node-pre-gyp-0.12.0.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- node-pre-gyp-0.12.0.tgz
- fsevents-1.2.9.tgz
- jest-haste-map-24.9.0.tgz
- core-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- write-1.0.3.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- write-1.0.3.tgz
- flat-cache-2.0.1.tgz
-
nock-11.7.0.tgz (Root Library)
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Dependency Hierarchy:
-
actions-toolkit-4.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.6.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.5.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.5.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🔴CVE-2020-8203
Vulnerable Library - lodash.set-4.3.2.tgz
The lodash method _.set exported as a module.
Library home page: https://registry.npmjs.org/lodash.set/-/lodash.set-4.3.2.tgz
Dependency Hierarchy:
-
actions-toolkit-2.0.0.tgz (Root Library)
- rest-16.25.3.tgz
- ❌ lodash.set-4.3.2.tgz (Vulnerable Library)
- rest-16.25.3.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- rest-16.28.2.tgz
- ❌ lodash.set-4.3.2.tgz (Vulnerable Library)
- rest-16.28.2.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- rest-16.34.1.tgz
- ❌ lodash.set-4.3.2.tgz (Vulnerable Library)
- rest-16.34.1.tgz
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: Jul 15, 2020 04:10 PM
URL: CVE-2020-8203
Threat Assessment
Exploit Maturity:Not Defined
EPSS:2.4%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p6mc-m468-83gw
Release Date: Jul 15, 2020 04:10 PM
Fix Resolution : lodash - 4.17.19,lodash-es - 4.17.20
🟠CVE-2020-7598
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
-
actions-toolkit-2.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- write-1.0.3.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- write-1.0.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- write-1.0.3.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- write-1.0.3.tgz
- flat-cache-2.0.1.tgz
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- core-24.9.0.tgz
- jest-haste-map-24.9.0.tgz
- fsevents-1.2.9.tgz
- node-pre-gyp-0.12.0.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- node-pre-gyp-0.12.0.tgz
- fsevents-1.2.9.tgz
- jest-haste-map-24.9.0.tgz
- core-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- write-1.0.3.tgz
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
- write-1.0.3.tgz
- flat-cache-2.0.1.tgz
-
nock-11.7.0.tgz (Root Library)
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 1.2.3,minimist - 0.2.1
🟠CVE-2020-7598
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
-
actions-toolkit-2.0.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
-
actions-toolkit-2.1.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- core-7.7.4.tgz
- json5-2.1.1.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
- json5-2.1.1.tgz
- core-7.7.4.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 1.2.3,minimist - 0.2.1
🟠CVE-2022-0235
Vulnerable Library - node-fetch-2.6.0.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Dependency Hierarchy:
-
actions-toolkit-2.0.0.tgz (Root Library)
- graphql-2.1.1.tgz
- request-3.0.2.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- request-3.0.2.tgz
- graphql-2.1.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- graphql-2.1.2.tgz
- request-4.1.1.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- request-4.1.1.tgz
- graphql-2.1.2.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- graphql-2.1.3.tgz
- request-5.3.0.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- request-5.3.0.tgz
- graphql-2.1.3.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: Jan 16, 2022 12:00 AM
URL: CVE-2022-0235
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: Jan 16, 2022 12:00 AM
Fix Resolution : node-fetch - 3.1.1,node-fetch - 2.6.7,https://github.com/node-fetch/node-fetch.git - no_fix
🟡CVE-2020-15168
Vulnerable Library - node-fetch-2.6.0.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Dependency Hierarchy:
-
actions-toolkit-2.0.0.tgz (Root Library)
- graphql-2.1.1.tgz
- request-3.0.2.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- request-3.0.2.tgz
- graphql-2.1.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- graphql-2.1.2.tgz
- request-4.1.1.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- request-4.1.1.tgz
- graphql-2.1.2.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- graphql-2.1.3.tgz
- request-5.3.0.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- request-5.3.0.tgz
- graphql-2.1.3.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: Sep 10, 2020 06:25 PM
URL: CVE-2020-15168
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 2.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: Sep 10, 2020 06:25 PM
Fix Resolution : node-fetch - 2.6.1,node-fetch - 3.0.0-beta.9
🟡CVE-2025-5889
Vulnerable Library - brace-expansion-1.1.11.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz
Dependency Hierarchy:
-
actions-toolkit-4.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.6.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.6.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- glob-7.1.4.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.4.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.5.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.5.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 09, 2025 06:16 PM
URL: CVE-2025-5889
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 1.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6h2-p8h4-qcjw
Release Date: Jun 09, 2025 06:16 PM
Fix Resolution : brace-expansion - 4.0.1,https://github.com/juliangruber/brace-expansion.git - no_fix,brace-expansion - 3.0.1,brace-expansion - 2.0.2,brace-expansion - 1.1.12