eslint-config-google-0.14.0.tgz: 5 vulnerabilities (highest severity is: 7.5) reachable #98
Description
Vulnerable Library - eslint-config-google-0.14.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (eslint-config-google version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-21538 |  High |
7.5 | Proof of concept | 0.1% | cross-spawn-7.0.3.tgz | Transitive | N/A* | ❌ |
|
| CVE-2023-26115 |  Medium |
5.3 | Proof of concept | 0.0% | word-wrap-1.2.3.tgz | Transitive | N/A* | ❌ |
|
| CVE-2025-64718 | Medium |
5.3 | Not Defined | 0.0% | js-yaml-4.1.0.tgz | Transitive | N/A* | ❌ |
|
| CVE-2025-69873 | High |
7.5 | Not Defined | ajv-6.12.6.tgz | Transitive | N/A* | ❌ | ||
| CVE-2025-50537 | Medium |
5.5 | Not Defined | 0.0% | eslint-8.33.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21538
Vulnerable Library - cross-spawn-7.0.3.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- eslint-config-google-0.14.0.tgz (Root Library)
- eslint-8.33.0.tgz
- ❌ cross-spawn-7.0.3.tgz (Vulnerable Library)
- eslint-8.33.0.tgz
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
learning-opentok-node-0.0.0/package.json (Application)
-> eslint-8.33.0/bin/eslint.js (Extension)
-> cross-spawn-7.0.3/index.js (Extension)
-> cross-spawn-7.0.3/lib/parse.js (Extension)
-> ❌ cross-spawn-7.0.3/lib/util/escape.js (Vulnerable Component)
Vulnerability Details
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: org.webjars.npm:cross-spawn:6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,cross-spawn - 7.0.5,cross-spawn - 6.0.6
CVE-2023-26115
Vulnerable Library - word-wrap-1.2.3.tgz
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- eslint-config-google-0.14.0.tgz (Root Library)
- eslint-8.33.0.tgz
- optionator-0.9.1.tgz
- ❌ word-wrap-1.2.3.tgz (Vulnerable Library)
- optionator-0.9.1.tgz
- eslint-8.33.0.tgz
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
learning-opentok-node-0.0.0/package.json (Application)
-> eslint-8.33.0/bin/eslint.js (Extension)
-> eslint-8.33.0/lib/cli.js (Extension)
-> eslint-8.33.0/lib/options.js (Extension)
-> optionator-0.9.1/lib/index.js (Extension)
-> optionator-0.9.1/lib/help.js (Extension)
-> ❌ word-wrap-1.2.3/index.js (Vulnerable Component)
Vulnerability Details
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution: word-wrap - 1.2.4
CVE-2025-64718
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- eslint-config-google-0.14.0.tgz (Root Library)
- eslint-8.33.0.tgz
- ❌ js-yaml-4.1.0.tgz (Vulnerable Library)
- eslint-8.33.0.tgz
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2
CVE-2025-69873
Vulnerable Library - ajv-6.12.6.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- eslint-config-google-0.14.0.tgz (Root Library)
- eslint-8.33.0.tgz
- ❌ ajv-6.12.6.tgz (Vulnerable Library)
- eslint-8.33.0.tgz
Found in base branch: main
Vulnerability Details
ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (
Publish Date: 2026-02-11
URL: CVE-2025-69873
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2025-50537
Vulnerable Library - eslint-8.33.0.tgz
Library home page: https://registry.npmjs.org/eslint/-/eslint-8.33.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- eslint-config-google-0.14.0.tgz (Root Library)
- ❌ eslint-8.33.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.
Publish Date: 2026-01-26
URL: CVE-2025-50537
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-26
Fix Resolution: eslint - 9.26.0,https://github.com/eslint/eslint.git - v9.26.0