[GHSA-73rr-hh4g-fpgx] jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch #6743
Conversation
|
Hi there @kpdecker! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
Feel free to undo this change, the form would not let me submit without removing the last bit
github-actions
bot
changed the base branch from
main
to
CraigHammondDexcom/advisory-improvement-6743
| "CWE-400" | ||
| ], | ||
| "severity": "LOW", | ||
| "severity": "MODERATE", |
There was a problem hiding this comment.
I did not intend to change the severity
There was a problem hiding this comment.
Pull request overview
This PR updates the security advisory GHSA-73rr-hh4g-fpgx for a Denial of Service vulnerability in the jsdiff library. The update includes modifications to the CVSS v4 score, severity level, and adds coverage for a backported fix in version 3.5.1.
Changes:
- Updated CVSS v4 score by removing optional Exploit Maturity metric
- Added new affected version range (0 to 3.5.1) to cover older versions with backported fix
- Corrected existing version range to start at 4.0.0 instead of 0
- Elevated severity from LOW to MODERATE
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Updates
Comments
https://github.com/kpdecker/jsdiff/releases/tag/v3.5.1 was created featuring a backport of the vulnerability fixes.