Security: Known vulnerable dependencies (CVE-2022-23529, CVE-2023-3696, CVE-2024-43796, CVE-2022-31129)

## Security Advisory

This project includes four dependencies with known critical and high-severity vulnerabilities.

### 1. jsonwebtoken@^8.5.1 — CVE-2022-23529 (Critical)
JWT verification bypass allowing token forgery.
- **Fix:** Upgrade to >= 9.0.0
- **Ref:** https://nvd.nist.gov/vuln/detail/CVE-2022-23529

### 2. mongoose@^5.7.6 — CVE-2023-3696 (Critical)
Prototype pollution via crafted query objects.
- **Fix:** Upgrade to >= 6.9.1
- **Ref:** https://nvd.nist.gov/vuln/detail/CVE-2023-3696

### 3. express@~4.16.0 — CVE-2024-43796 (Medium)
XSS via response.redirect() with unsanitized input.
- **Fix:** Upgrade to >= 4.21.1
- **Ref:** https://nvd.nist.gov/vuln/detail/CVE-2024-43796

### 4. moment@^2.24.0 — CVE-2022-31129 (High)
ReDoS when parsing user-supplied date strings.
- **Fix:** Upgrade to >= 2.29.4
- **Ref:** https://nvd.nist.gov/vuln/detail/CVE-2022-31129

### Recommendation
Update affected dependencies in package.json to their patched versions.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Known vulnerable dependencies (CVE-2022-23529, CVE-2023-3696, CVE-2024-43796, CVE-2022-31129) #60

Security Advisory

1. jsonwebtoken@^8.5.1 — CVE-2022-23529 (Critical)

2. mongoose@^5.7.6 — CVE-2023-3696 (Critical)

3. express@~4.16.0 — CVE-2024-43796 (Medium)

4. moment@^2.24.0 — CVE-2022-31129 (High)

Recommendation

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security: Known vulnerable dependencies (CVE-2022-23529, CVE-2023-3696, CVE-2024-43796, CVE-2022-31129) #60

Description

Security Advisory

1. jsonwebtoken@^8.5.1 — CVE-2022-23529 (Critical)

2. mongoose@^5.7.6 — CVE-2023-3696 (Critical)

3. express@~4.16.0 — CVE-2024-43796 (Medium)

4. moment@^2.24.0 — CVE-2022-31129 (High)

Recommendation

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions