CVEs found in scan

[freemansoft]

Is there an existing issue for this?

• I have searched the existing issues and didn't find mine.

Steps to reproduce

We ran two scanners against Maestro while getting approval to run in our environment. They found a couple of critical CVE.

Actual results

Package	Vulnerability ID	Description	Severity	Installed	Fixed
pkg:npm/webpack@5.75.0	CVE-2023-28154	webpack: avoid cross-realm objects	 Critical	5.75.0	5.76.0
pkg:npm/%40babel/traverse@ 7.20.5	CVE-2023-45133	babel: arbitrary code execution	 Critical	7.20.5	7.23.2, 8.0.0- alpha.4
pkg:npm/http-proxy middleware@2.0.6	CVE-2024-21536	http-proxy-middleware: Denial of Service	 High	2.0.6	2.0.7, 3.0.3
pkg:maven/org.yaml/snakeya ml@1.29	CVE-2022-25857	snakeyaml: Denial of Service due to missing nested depth limitation for collections	 High	1.29	1.31
pkg:npm/json5@1.0.1	CVE-2022-46175	json5: Prototype Pollution in JSON5 via Parse Method	 High	1.0.1	2.2.2, 1.0.2
pkg:npm/body-parser@1.20.1	CVE-2024-45590	body-parser: Denial of Service Vulnerability in body-parser	 High	1.20.1	1.20.3
pkg:npm/ws@7.5.9	CVE-2024-37890	nodejs-ws: denial of service when handling a request with many HTTP headers	 High	7.5.9	5.2.4, 6.2.3, 7.5.10, 8.17.1
pkg:maven/org.yaml/snakeya ml@1.29	CVE-2022-1471	SnakeYaml: Constructor Deserialization Remote Code Execution	 High	1.29	2
pkg:npm/path-to regexp@0.1.7	CVE-2024-52798	path-to-regexp: path-to-regexp Unpatched path-to-regexp ReDoS in 0.1.x	 High	0.1.7	0.1.12
pkg:npm/path-to regexp@0.1.7	CVE-2024-45296	path-to-regexp: Backtracking regular expressions cause ReDoS	 High	0.1.7	1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0
pkg:npm/rollup@2.79.1	CVE-2024-47068	rollup: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS	 High	2.79.1	3.29.5, 4.22.4, 2.79.2
pkg:npm/nth-check@1.0.2	CVE-2021-3803	nodejs-nth-check: inefficient regular expression complexity	 High	1.0.2	2.0.1
pkg:npm/yaml@2.2.1	CVE-2023-2251	Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.	 High	2.2.1	2.2.2
Package	Vulnerability ID	Description	Severity	Installed	Fixed
pkg:maven/io.gitlab.arturb osch.detekt/detekt core@1.19.0	CVE-2022-0272	XML External Entity Reference in detekt	 High	1.19.0	1.20.0
pkg:npm/http-proxy middleware@2.0.6	CVE-2025-32996	http-proxy-middleware can call writeBody twice because "else if" is not used	 Medium	2.0.6	2.0.8, 3.0.4
pkg:npm/postcss@7.0.39	CVE-2023-44270	PostCSS: Improper input validation in PostCSS	 Medium	7.0.39	8.4.31
pkg:maven/org.yaml/snakeya ml@1.29	CVE-2022-38752	snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCo de	 Medium	1.29	1.32
pkg:maven/org.yaml/snakeya ml@1.29	CVE-2022-38749	snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer .composeSequenceNode	 Medium	1.29	1.31
pkg:npm/word-wrap@1.2.3	CVE-2023-26115	word-wrap: ReDoS	 Medium	1.2.3	1.2.4
pkg:npm/%40adobe/css tools@4.0.1	CVE-2023-26364	css-tools: Improper Input Validation causes Denial of Service via Regular Expression	 Medium	4.0.1	4.3.1
pkg:npm/%40adobe/css tools@4.0.1	CVE-2023-48631	css-tools: regular expression denial of service (ReDoS) when parsing CSS	 Medium	4.0.1	4.3.2
pkg:maven/org.yaml/snakeya ml@1.29	CVE-2022-38751	snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Qu es.match	 Medium	1.29	1.31
pkg:maven/org.jetbrains.ko tlin/kotlin-stdlib@1.5.31	CVE-2022-24329	kotlin: Not possible to lock dependencies for Multiplatform Gradle Projects	 Medium	1.5.31	1.6.0
pkg:maven/org.yaml/snakeya ml@1.29	CVE-2022-41854	dev-java/snakeyaml: DoS via stack overflow	 Medium	1.29	1.32
pkg:npm/http-proxy middleware@2.0.6	CVE-2025-32997	http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed	 Medium	2.0.6	2.0.9, 3.0.5
pkg:npm/follow redirects@1.15.2	CVE-2024-28849	follow-redirects: Possible credential leak	 Medium	1.15.2	1.15.6
pkg:maven/org.yaml/snakeya ml@1.29	CVE-2022-38750	snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseC onstructor.constructObject	 Medium	1.29	1.31
Package	Vulnerability ID	Description	Severity	Installed	Fixed
pkg:npm/express@4.18.2	CVE-2024-29041	express: cause malformed URLs to be evaluated	 Medium	4.18.2	4.19.2, 5.0.0- beta.3
pkg:npm/serialize javascript@6.0.0	CVE-2024-11831	npm-serialize-javascript: Cross-site Scripting (XSS) in serialize javascript	 Medium	6.0.0	6.0.2
pkg:npm/nanoid@3.3.4	CVE-2024-55565	nanoid: nanoid mishandles non integer values	 Medium	3.3.4	5.0.9, 3.3.8
pkg:npm/follow redirects@1.15.2	CVE-2023-26159	follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()	 Medium	1.15.2	1.15.4
pkg:npm/webpack@5.75.0	CVE-2024-43788	webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule	 Medium	5.75.0	5.94.0
pkg:npm/ejs@3.1.8	CVE-2024-33883	The ejs (aka Embedded JavaScript templates) package before 3.1.10 for ...	 Medium	3.1.8	3.1.10
pkg:npm/tough-cookie@4.1.2	CVE-2023-26136	tough-cookie: prototype pollution in cookie memstore	 Medium	4.1.2	4.1.3
pkg:npm/%40babel/helpers@7 .20.6	CVE-2025-27789	Babel is a compiler for writing next generation JavaScript. When using ...	 Medium	7.20.6	7.26.10, 8.0.0- alpha.17
pkg:npm/serve static@1.15.0	CVE-2024-43800	serve-static: Improper Sanitization in serve-static	 Low	1.15.0	1.16.0, 2.1.0
pkg:npm/express@4.18.2	CVE-2024-43796	express: Improper Input Handling in Express Redirects	 Low	4.18.2	4.20.0, 5.0.0
pkg:npm/send@0.18.0	CVE-2024-43799	send: Code Execution Vulnerability in Send Library	 Low	0.18.0	0.19.0
pkg:npm/cookie@0.5.0	CVE-2024-47764	cookie: cookie accepts cookie name, path, and domain with out of bounds characters	 Low	0.5.0	0.7.0
pkg:npm/ip	CVE-2024-29415	ip SSRF improper categorization in isPublic	 High	2.0.0	N/A
Package	Vulnerability ID	Description	Severity	Installed	Fixed
pkg:npm/cross-spawn	CVE-2024-21538	Regular Expression Denial of Service (ReDoS) in cross-spawn	 High	6.0.5	7.0.5
pkg:npm/trim	CVE-2020-7753	Regular Expression Denial of Service in trim	 High	0.0.1	0.0.3
pkg:npm/trim-newlines	CVE-2021-33623	Uncontrolled Resource Consumption in trim-newlines	 High	1.0.0	3.0.1
pkg:npm/semver	CVE-2022-25883	semver vulnerable to Regular Expression Denial of Service	 High	5.7.1	7.5.2
pkg:npm/browserify-sign	CVE-2023-46234	browserify-sign upper bound check issue in dsaVerify leads to a signature forgery attack	 High	4.2.1	4.2.2
pkg:npm/webpack-dev middleware	CVE-2024-29180	Path traversal in webpack-dev middleware	 High	3.7.3	7.1.0
pkg:npm/braces	CVE-2024-4068	Uncontrolled resource consumption in braces	 High	2.3.2	3.0.3
pkg:npm/elliptic	CVE-2024-48949	Elliptic's verify function omits uniqueness validation	 Medium	6.5.4	6.5.6
pkg:npm/micromatch	CVE-2024-4067	Regular Expression Denial of Service (ReDoS) in micromatch	 Medium	3.1.10	4.0.8
pkg:npm/store2	CVE-2024-57556	Cross Site Scripting vulnerability in store2	 Medium	2.14.2	2.14.4
pkg:npm/elliptic	CVE-2024-42459	Elliptic's EDDSA missing signature length check	 Medium	6.5.4	6.5.7
pkg:npm/elliptic	CVE-2024-48948	Valid ECDSA signatures erroneously rejected in Elliptic	 Medium	6.5.4	6.6.0
pkg:npm/elliptic	CVE-2024-42460	Elliptic's ECDSA missing check for whether leading bit of r and s is zero	 Medium	6.5.4	6.5.7
Package	Vulnerability ID	Description	Severity	Installed	Fixed
pkg:npm/graphql	CVE-2023-26144	graphql Uncontrolled Resource Consumption vulnerability	 Medium	16.8.0	16.8.1
pkg:npm/elliptic	CVE-2024-42461	Elliptic allows BER-encoded signatures	 Medium	6.5.4	6.5.7
pkg:npm/tar	CVE-2024-28863	Denial of service while parsing a tar file due to lack of folders count validation	 Medium	6.1.12	6.2.1
pkg:npm/ip	CVE-2023-42282	NPM IP package incorrectly identifies some private IP addresses as public	 N/A	2.0.0	2.0.1
pkg:npm/elliptic	GHSA-vjh7-7g9h fjfh	Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)	 N/A	6.5.4	6.6.1

Expected results

No Critical or High CVE

About app

This was part of onboarding or validating we could run Maestro in our environment.

About environment

N/A

Logs

N/A

Maestro version

1.40.0

How did you install Maestro?

install script (https://get.maestro.mobile.dev)

Anything else?

No response

[linear]

MAE-140 CVEs found in scan

[freemansoft]

I can't see the linear posted CVEs. Nothing in my markdown table should be an issue.

[Fishbowler]

The linear link is an internal tracker for the Maestro engineering team. You can ignore that.

I'm gonna take a look at this list today. I suspect a bunch will be dev-time only npm things that won't have any end-user impact.

Thanks for doing this!

[Fishbowler]

NPM dependencies all appear to be build time. I suspect even runtime vulnerabilities would be difficult to exploit, given they're running from a non-standard web server bound to localhost. I'll open a PR to bump what can be bumped.

[Fishbowler]

It'd be useful to know which scanner you're using. dependency-check gives pretty different results.

[Fishbowler]

I've opened #2434 to solve a bunch and remove some unnecessary dependencies to maybe avoid some others.

There's a bunch that remain unsolved according to dependency-check.
The NPM ones are all introduced by react-scripts, which is a dev dependency that Facebook insists belongs as a runtime dependency because it's tied to react, which is compiled into a runtime dependency in the JS. Meh. The remaining risks are ~zero.

I don't see snakeyaml reported, but it's a dependency of bunch of things which I've bumped. A gradle build --scan reports them all as 2.2 now.

I don't see detekt in the build tree at all. Maybe I've upgraded it away?

[freemansoft]

The report I extracted this from said two scanners were used: "trivy" and "osv-scanner".

• No idea how the severity is calculated, based on the risk of the exploit or the difficulty in activating the exploit or both.
• Super cool that the problem report auto-inserted links to the actual CVE descriptions.

The company I'm proxying for is looking at Maestro, and it requires a passing scan before we can seriously consider installing/using it. Thank you for taking it this seriously.

[Fishbowler]

If we provided a .trivyignore file with justifications for remaining items, would that be useful?

[Fishbowler]

I've had a quick blast with both of those tools, and they're only picking up npm things, not gradle things. I'm guessing whoever wrote your report has a greater mastery than me with a few minutes of playing 😂

If the report includes any tips, I'm all ears.

[freemansoft]

I can ask...

If we provided a .trivyignore file with justifications for remaining items, would that be useful?

[freemansoft]

I will ask for a re-scan after the PR is merged.

[Fishbowler]

Did you get any intel on the trivyignore?

[freemansoft]

Forgot to ask in our last report review