actions-toolkit-4.0.0.tgz: 6 vulnerabilities (highest severity is: 9.8) [main] (unreachable) #24
Description
📂 Vulnerable Library - actions-toolkit-4.0.0.tgz
A toolkit for building GitHub Actions in Node.js
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-289561-266276 | 🟣 Critical | 9.8 | N/A | N/A | inherits-2.0.4.tgz | Transitive | N/A | ❌ | |
| CVE-2021-44906 | 🟣 Critical | 9.3 | Not Defined | < 1% | minimist-1.2.5.tgz | Transitive | N/A | ❌ |  Unreachable |
| CVE-2022-3517 | 🔴 High | 8.7 | Not Defined | < 1% | minimatch-3.0.4.tgz | Transitive | N/A | ❌ | Unreachable |
| CVE-2020-7598 | 🟠 Medium | 6.3 | Not Defined | < 1% | minimist-1.2.5.tgz | Transitive | N/A | ❌ | |
| CVE-2022-0235 | 🟠 Medium | 5.3 | Not Defined | < 1% | node-fetch-2.6.1.tgz | Direct | https://github.com/node-fetch/node-fetch.git - no_fix,node-fetch - 3.1.1,node-fetch - 2.6.7 | ✅ | Unreachable |
| CVE-2025-5889 | 🟡 Low | 1.3 | Proof of concept | < 1% | brace-expansion-1.1.11.tgz | Transitive | N/A | ❌ | Unreachable |
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Dependency Hierarchy:
-
actions-toolkit-4.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.6.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
- glob-7.1.6.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- glob-7.1.4.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.5.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
- glob-7.1.5.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-44906
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Dependency Hierarchy:
- actions-toolkit-4.0.0.tgz (Root Library)
- ❌ minimist-1.2.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Dependency Hierarchy:
-
actions-toolkit-4.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.6.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.5.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.5.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🟠CVE-2020-7598
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Dependency Hierarchy:
- actions-toolkit-4.0.0.tgz (Root Library)
- ❌ minimist-1.2.5.tgz (Vulnerable Library)
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 1.2.3,minimist - 0.2.1
🟠CVE-2022-0235
Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Dependency Hierarchy:
-
actions-toolkit-4.0.0.tgz (Root Library)
- rest-17.9.2.tgz
- core-2.5.3.tgz
- request-5.4.4.tgz
- ❌ node-fetch-2.6.1.tgz (Vulnerable Library)
- request-5.4.4.tgz
- core-2.5.3.tgz
- rest-17.9.2.tgz
-
❌ node-fetch-2.6.1.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: Jan 16, 2022 12:00 AM
URL: CVE-2022-0235
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2022-0235
Release Date: Jan 16, 2022 12:00 AM
Fix Resolution : https://github.com/node-fetch/node-fetch.git - no_fix,node-fetch - 3.1.1,node-fetch - 2.6.7
🟡CVE-2025-5889
Vulnerable Library - brace-expansion-1.1.11.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz
Dependency Hierarchy:
-
actions-toolkit-4.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.6.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.6.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.0.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
actions-toolkit-2.1.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.4.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.4.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
-
jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- glob-7.1.4.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.4.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
-
actions-toolkit-2.2.0.tgz (Root Library)
- flat-cache-2.0.1.tgz
- rimraf-2.6.3.tgz
- glob-7.1.5.tgz
- minimatch-3.0.4.tgz
- ❌ brace-expansion-1.1.11.tgz (Vulnerable Library)
- minimatch-3.0.4.tgz
- glob-7.1.5.tgz
- rimraf-2.6.3.tgz
- flat-cache-2.0.1.tgz
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 09, 2025 06:16 PM
URL: CVE-2025-5889
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 1.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6h2-p8h4-qcjw
Release Date: Jun 09, 2025 06:16 PM
Fix Resolution : brace-expansion - 4.0.1,https://github.com/juliangruber/brace-expansion.git - no_fix,brace-expansion - 3.0.1,brace-expansion - 2.0.2,brace-expansion - 1.1.12