DevSecOps MCP Server

{ "tool": "Trivy", "scan_id": "sca-trivy-1770171651250", "status": "completed", "project_path": "c:\\Users\\Jezuz\\OneDrive\\Escritorio\\Quarksoft\\Miguel\\PruebasUnitarias", "package_manager": "npm", "vulnerabilities": [ { "id": "CVE-2026-24001", "title": "jsdiff: denial of service vulnerability in parsePatch and applyPatch", "severity": "low", "package_name": "diff", "package_version": "4.0.2", "vulnerable_versions": "4.0.2", "patched_versions": "8.0.3, 5.2.2, 4.0.4, 3.5.1", "description": "jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`.", "references": [ "https://access.redhat.com/security/cve/CVE-2026-24001", "https://github.com/kpdecker/jsdiff", "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", "https://github.com/kpdecker/jsdiff/issues/653", "https://github.com/kpdecker/jsdiff/pull/649", "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", "https://nvd.nist.gov/vuln/detail/CVE-2026-24001", "https://www.cve.org/CVERecord?id=CVE-2026-24001" ], "cve_ids": [ "CVE-2026-24001" ], "cwe_ids": [ "CWE-400", "CWE-1333" ], "cvss_score": 7.5, "fix_available": true, "fix_version": "8.0.3, 5.2.2, 4.0.4, 3.5.1" }, { "id": "CVE-2025-13465", "title": "lodash: prototype pollution in _.unset and _.omit functions", "severity": "medium", "package_name": "lodash", "package_version": "4.17.21", "vulnerable_versions": "4.17.21", "patched_versions": "4.17.23", "description": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23", "references": [ "https://access.redhat.com/security/cve/CVE-2025-13465", "https://github.com/lodash/lodash", "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81", "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", "https://nvd.nist.gov/vuln/detail/CVE-2025-13465", "https://www.cve.org/CVERecord?id=CVE-2025-13465" ], "cve_ids": [ "CVE-2025-13465" ], "cwe_ids": [ "CWE-1321" ], "cvss_score": 6.5, "fix_available": true, "fix_version": "4.17.23" }, { "id": "CVE-2025-15284", "title": "qs: qs: Denial of Service via improper input validation in array parsing", "severity": "high", "package_name": "qs", "package_version": "6.13.0", "vulnerable_versions": "6.13.0", "patched_versions": "6.14.1", "description": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.\n\n\nSummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.\n\nDetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).\n\nVulnerable code (lib/parse.js:159-162):\n\nif (root === '[]' && options.parseArrays) {\n obj = utils.combine([], leaf); // No arrayLimit check\n}\n\n\n\n\n\nWorking code (lib/parse.js:175):\n\nelse if (index <= options.arrayLimit) { // Limit checked here\n obj = [];\n obj[index] = leaf;\n}\n\n\n\n\n\nThe bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.\n\nPoCTest 1 - Basic bypass:\n\nnpm install qs\n\n\n\n\n\nconst qs = require('qs');\nconst result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });\nconsole.log(result.a.length); // Output: 6 (should be max 5)\n\n\n\n\n\nTest 2 - DoS demonstration:\n\nconst qs = require('qs');\nconst attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');\nconst result = qs.parse(attack, { arrayLimit: 100 });\nconsole.log(result.a.length); // Output: 10000 (should be max 100)\n\n\n\n\n\nConfiguration:\n\n * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)\n * Use bracket notation: a[]=value (not indexed a[0]=value)\n\n\nImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.\n\nAttack scenario:\n\n * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)\n * Application parses with qs.parse(query, { arrayLimit: 100 })\n * qs ignores limit, parses all 100,000 elements into array\n * Server memory exhausted → application crashes or becomes unresponsive\n * Service unavailable for all users\nReal-world impact:\n\n * Single malicious request can crash server\n * No authentication required\n * Easy to automate and scale\n * Affects any endpoint parsing query strings with bracket notation", "references": [ "https://access.redhat.com/security/cve/CVE-2025-15284", "https://github.com/ljharb/qs", "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9", "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p", "https://nvd.nist.gov/vuln/detail/CVE-2025-15284", "https://www.cve.org/CVERecord?id=CVE-2025-15284" ], "cve_ids": [ "CVE-2025-15284" ], "cwe_ids": [ "CWE-20" ], "cvss_score": 7.5, "fix_available": true, "fix_version": "6.14.1" }, { "id": "CVE-2026-23745", "title": "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives", "severity": "high", "package_name": "tar", "package_version": "6.2.1", "vulnerable_versions": "6.2.1", "patched_versions": "7.5.3", "description": "node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.", "references": [ "https://access.redhat.com/security/cve/CVE-2026-23745", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e", "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97", "https://nvd.nist.gov/vuln/detail/CVE-2026-23745", "https://www.cve.org/CVERecord?id=CVE-2026-23745" ], "cve_ids": [ "CVE-2026-23745" ], "cwe_ids": [ "CWE-22" ], "cvss_score": 8.2, "fix_available": true, "fix_version": "7.5.3" }, { "id": "CVE-2026-23950", "title": "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition", "severity": "high", "package_name": "tar", "package_version": "6.2.1", "vulnerable_versions": "6.2.1", "patched_versions": "7.5.4", "description": "node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.", "references": [ "https://access.redhat.com/security/cve/CVE-2026-23950", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6", "https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w", "https://nvd.nist.gov/vuln/detail/CVE-2026-23950", "https://www.cve.org/CVERecord?id=CVE-2026-23950" ], "cve_ids": [ "CVE-2026-23950" ], "cwe_ids": [ "CWE-176", "CWE-352", "CWE-367" ], "cvss_score": 8.8, "fix_available": true, "fix_version": "7.5.4" }, { "id": "CVE-2026-24842", "title": "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check", "severity": "high", "package_name": "tar", "package_version": "6.2.1", "vulnerable_versions": "6.2.1", "patched_versions": "7.5.7", "description": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.", "references": [ "https://access.redhat.com/security/cve/CVE-2026-24842", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46", "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v", "https://nvd.nist.gov/vuln/detail/CVE-2026-24842", "https://www.cve.org/CVERecord?id=CVE-2026-24842" ], "cve_ids": [ "CVE-2026-24842" ], "cwe_ids": [ "CWE-22", "CWE-59" ], "cvss_score": 8.2, "fix_available": true, "fix_version": "7.5.7" } ], "license_issues": [], "summary": { "total_vulnerabilities": 6, "critical": 0, "high": 4, "medium": 1, "low": 1, "fixable": 6, "license_violations": 0 }, "remediation": { "upgrades": [], "patches": [] }, "metadata": { "scan_duration": 18876, "total_dependencies": 0, "direct_dependencies": 0, "timestamp": "2026-02-04T02:21:09.589Z" } }