gatsby-theme-carbon-3.4.16.tgz: 6 vulnerabilities (highest severity is: 7.5) #203
Description
Vulnerable Library - gatsby-theme-carbon-3.4.16.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (gatsby-theme-carbon version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2021-3803 |  High |
7.5 | nth-check-1.0.2.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2020-7753 | High |
7.5 | trim-0.0.1.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2024-43788 |  Medium |
6.4 | webpack-5.88.1.tgz | Transitive | 3.4.17 | ✅ |
| CVE-2025-27789 | Medium |
6.2 | detected in multiple dependencies | Transitive | 3.4.17 | ✅ |
| CVE-2023-44270 | Medium |
5.3 | postcss-7.0.36.tgz | Transitive | N/A* | ❌ |
| CVE-2023-0842 | Medium |
5.3 | xml2js-0.4.23.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- gatsby-theme-carbon-3.4.16.tgz (Root Library)
- gatsby-plugin-mdx-3.20.0.tgz
- static-site-generator-webpack-plugin-3.4.2.tgz
- cheerio-0.22.0.tgz
- css-select-1.2.0.tgz
- ❌ nth-check-1.0.2.tgz (Vulnerable Library)
- css-select-1.2.0.tgz
- cheerio-0.22.0.tgz
- static-site-generator-webpack-plugin-3.4.2.tgz
- gatsby-plugin-mdx-3.20.0.tgz
Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b
Found in base branch: master
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: fb55/nth-check@v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (gatsby-theme-carbon): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7753
Vulnerable Library - trim-0.0.1.tgz
Trim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- gatsby-theme-carbon-3.4.16.tgz (Root Library)
- gatsby-plugin-mdx-3.20.0.tgz
- remark-10.0.1.tgz
- remark-parse-6.0.3.tgz
- ❌ trim-0.0.1.tgz (Vulnerable Library)
- remark-parse-6.0.3.tgz
- remark-10.0.1.tgz
- gatsby-plugin-mdx-3.20.0.tgz
Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b
Found in base branch: master
Vulnerability Details
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: component/trim#8
Release Date: 2020-10-27
Fix Resolution (trim): 0.0.3
Direct dependency fix Resolution (gatsby-theme-carbon): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-43788
Vulnerable Library - webpack-5.88.1.tgz
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.88.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- gatsby-theme-carbon-3.4.16.tgz (Root Library)
- gatsby-plugin-sass-resources-3.0.1.tgz
- ❌ webpack-5.88.1.tgz (Vulnerable Library)
- gatsby-plugin-sass-resources-3.0.1.tgz
Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b
Found in base branch: master
Vulnerability Details
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s "AutoPublicPathRuntimeModule". The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an "img" tag with an unsanitized "name" attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2024-08-27
URL: CVE-2024-43788
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-4vvj-4cpr-p986
Release Date: 2024-08-27
Fix Resolution (webpack): 5.94.0
Direct dependency fix Resolution (gatsby-theme-carbon): 3.4.17
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-27789
Vulnerable Libraries - helpers-7.24.1.tgz, runtime-7.23.2.tgz
helpers-7.24.1.tgz
Library home page: https://registry.npmjs.org/@babel/helpers/-/helpers-7.24.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- gatsby-theme-carbon-3.4.16.tgz (Root Library)
- mdx-1.6.22.tgz
- remark-mdx-1.6.22.tgz
- core-7.12.9.tgz
- ❌ helpers-7.24.1.tgz (Vulnerable Library)
- core-7.12.9.tgz
- remark-mdx-1.6.22.tgz
- mdx-1.6.22.tgz
runtime-7.23.2.tgz
Library home page: https://registry.npmjs.org/@babel/runtime/-/runtime-7.23.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- gatsby-theme-carbon-3.4.16.tgz (Root Library)
- gatsby-plugin-mdx-3.20.0.tgz
- ❌ runtime-7.23.2.tgz (Vulnerable Library)
- gatsby-plugin-mdx-3.20.0.tgz
Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b
Found in base branch: master
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the ".replace" method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to ".replace"). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the ".replace" method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of ".replace". This problem has been fixed in "@babel/helpers" and "@babel/runtime" 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on "@babel/helpers", and instead depend on "@babel/core" (which itself depends on "@babel/helpers"). Upgrading to "@babel/core" 7.26.10 is not required, but it guarantees use of a new enough "@babel/helpers" version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Publish Date: 2025-03-11
URL: CVE-2025-27789
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-968p-4wvh-cqc8
Release Date: 2025-03-11
Fix Resolution (@babel/helpers): 7.26.10
Direct dependency fix Resolution (gatsby-theme-carbon): 3.4.17
Fix Resolution (@babel/runtime): 7.26.10
Direct dependency fix Resolution (gatsby-theme-carbon): 3.4.17
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-44270
Vulnerable Library - postcss-7.0.36.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.36.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- gatsby-theme-carbon-3.4.16.tgz (Root Library)
- gatsby-plugin-sass-5.25.0.tgz
- resolve-url-loader-3.1.5.tgz
- ❌ postcss-7.0.36.tgz (Vulnerable Library)
- resolve-url-loader-3.1.5.tgz
- gatsby-plugin-sass-5.25.0.tgz
Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b
Found in base branch: master
Vulnerability Details
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-7fh5-64p2-3v2j
Release Date: 2023-09-29
Fix Resolution: postcss - 8.4.31
CVE-2023-0842
Vulnerable Library - xml2js-0.4.23.tgz
Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- gatsby-theme-carbon-3.4.16.tgz (Root Library)
- gatsby-source-medium-feed-1.0.6.tgz
- rss-parser-3.7.0.tgz
- ❌ xml2js-0.4.23.tgz (Vulnerable Library)
- rss-parser-3.7.0.tgz
- gatsby-source-medium-feed-1.0.6.tgz
Found in HEAD commit: 38861040afa73313b71d1d8b3f6404bff7d9796b
Found in base branch: master
Vulnerability Details
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-04-05
URL: CVE-2023-0842
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: 2023-04-05
Fix Resolution: xml2js - 0.5.0
⛑️Automatic Remediation will be attempted for this issue.