SECURITY VULNERABILITIES

This package introduces many vulnerabilities via its dependencies. Please patch them.

## Summary

- **Total vulnerabilities affecting HubSpot CLI: 27**
- **Critical: 1** | **High: 4** | **Moderate: 16** | **Low: 6**

---

## Critical Vulnerabilities (1)

### 1. form-data - Unsafe random function
- **CVE:** CVE-2025-7783
- **ID:** 1106509
- **Severity:** Critical
- **Path:** `.>@hubspot/cli>@hubspot/cms-dev-server>request>form-data`
- **Vulnerable version:** 2.3.3
- **Description:** Uses Math.random() for boundary values, enabling SSRF and credential leakage
- **Fix:** Upgrade to version 2.5.4 or later

---

## High Vulnerabilities (4)

### 2. axios - SSRF via path relative URLs
- **CVE:** CVE-2024-39338
- **ID:** 1098583
- **Severity:** High
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>@hubspot/app-functions-dev-server>axios`
- **Vulnerable version:** 1.6.8
- **Fix:** Upgrade to version 1.7.4 or later

### 3. body-parser - DoS vulnerability
- **CVE:** CVE-2024-45590
- **ID:** 1099520
- **Severity:** High
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>express>body-parser`
- **Vulnerable version:** 1.20.1
- **Fix:** Upgrade to version 1.20.3 or later

### 4. path-to-regexp - ReDoS vulnerability
- **CVE:** CVE-2024-45296, CVE-2024-52798
- **ID:** 1101850, 1105199
- **Severity:** High
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>express>path-to-regexp`
- **Vulnerable version:** 0.1.7
- **Fix:** Upgrade to version 0.1.12 or later

### 5. axios - DoS via data URLs
- **CVE:** CVE-2025-58754
- **ID:** 1107516
- **Severity:** High
- **Paths:** 
  - `.>@hubspot/cli>@hubspot/local-dev-lib>axios` (v1.8.4)
  - `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>@hubspot/app-functions-dev-server>axios` (v1.6.8)
- **Fix:** Upgrade to version 1.12.0 or later

---

## Moderate Vulnerabilities (16)

### 6. request - SSRF vulnerability
- **CVE:** CVE-2023-28155
- **ID:** 1096727
- **Path:** `.>@hubspot/cli>@hubspot/cms-dev-server>request`
- **Vulnerable version:** 2.88.2
- **Note:** Package is no longer maintained

### 7. express - Open redirect
- **CVE:** CVE-2024-29041
- **ID:** 1096820
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>express`
- **Vulnerable version:** 4.18.2
- **Fix:** Upgrade to version 4.19.2 or later

### 8. tough-cookie - Prototype pollution
- **CVE:** CVE-2023-26136
- **ID:** 1097682
- **Path:** `.>@hubspot/cli>@hubspot/cms-dev-server>request>tough-cookie`
- **Vulnerable version:** 2.5.0
- **Fix:** Upgrade to version 4.1.3 or later

### 9. send - Template injection XSS
- **CVE:** CVE-2024-43799
- **ID:** 1100526
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>express>send`
- **Vulnerable version:** 0.18.0
- **Fix:** Upgrade to version 0.19.0 or later

### 10. serve-static - Template injection XSS
- **CVE:** CVE-2024-43800
- **ID:** 1100528
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>express>serve-static`
- **Vulnerable version:** 1.15.0
- **Fix:** Upgrade to version 1.16.0 or later

### 11. @octokit/request-error - ReDoS vulnerability
- **CVE:** CVE-2025-25289
- **ID:** 1102256
- **Path:** `.>@hubspot/cli>@hubspot/cms-dev-server>vite-plugin-mkcert>@octokit/rest>@octokit/core>@octokit/request-error`
- **Vulnerable version:** 3.0.3
- **Fix:** Upgrade to version 5.1.1 or later

### 12. esbuild - CORS vulnerability
- **CVE:** GHSA-67mh-4wv8-2f99
- **ID:** 1102341
- **Paths:**
  - `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>vite>esbuild` (v0.21.5)
  - `.>@hubspot/cli>@hubspot/cms-dev-server>@originjs/vite-plugin-commonjs>esbuild` (v0.14.54)
- **Fix:** Upgrade to version 0.25.0 or later

### 13-18. Multiple Vite vulnerabilities
- **CVEs:** CVE-2025-24010, CVE-2025-30208, CVE-2025-31125, CVE-2025-32395, CVE-2025-31486, CVE-2025-46565, CVE-2025-58751, CVE-2025-58752
- **IDs:** 1102437, 1103517, 1103628, 1103884, 1104173, 1104202, 1107323, 1107327
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>vite`
- **Vulnerable version:** 5.4.8
- **Various issues:** CORS bypass, file disclosure, server.fs.deny bypass
- **Fix:** Upgrade to version 5.4.20 or later

### 19. @octokit/request - ReDoS vulnerability
- **CVE:** CVE-2025-25290
- **ID:** 1102896
- **Path:** `.>@hubspot/cli>@hubspot/cms-dev-server>vite-plugin-mkcert>@octokit/rest>@octokit/core>@octokit/request`
- **Vulnerable version:** 6.2.8
- **Fix:** Upgrade to version 8.4.1 or later

### 20. @octokit/plugin-paginate-rest - ReDoS vulnerability
- **CVE:** CVE-2025-25288
- **ID:** 1102898
- **Path:** `.>@hubspot/cli>@hubspot/cms-dev-server>vite-plugin-mkcert>@octokit/rest>@octokit/plugin-paginate-rest`
- **Vulnerable version:** 6.1.2
- **Fix:** Upgrade to version 9.2.2 or later

### 21. axios - SSRF via absolute URLs
- **CVE:** CVE-2025-27152
- **ID:** 1103618
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>@hubspot/app-functions-dev-server>axios`
- **Vulnerable version:** 1.6.8
- **Fix:** Upgrade to version 1.8.2 or later

---

## Low Vulnerabilities (6)

### 22. express - XSS via response.redirect
- **CVE:** CVE-2024-43796
- **ID:** 1100530
- **Path:** `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>express`
- **Vulnerable version:** 4.18.2
- **Fix:** Upgrade to version 4.20.0 or later

### 23. cookie - Out of bounds characters
- **CVE:** CVE-2024-47764
- **ID:** 1103907
- **Paths:**
  - `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>express>cookie` (v0.5.0)
  - `.>@hubspot/cli>@hubspot/cms-dev-server>@sentry/node>cookie` (v0.4.2)
- **Fix:** Upgrade to version 0.7.0 or later

### 24. tmp - Arbitrary file write via symlink
- **CVE:** CVE-2025-54798
- **ID:** 1106849
- **Paths:**
  - `.>@hubspot/cli>@hubspot/ui-extensions-dev-server>inquirer>external-editor>tmp` (v0.0.33)
  - `.>@hubspot/cli>tmp` (v0.2.3)
- **Fix:** Upgrade to version 0.2.4 or later



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SECURITY VULNERABILITIES #1554

Summary

Critical Vulnerabilities (1)

1. form-data - Unsafe random function

High Vulnerabilities (4)

2. axios - SSRF via path relative URLs

3. body-parser - DoS vulnerability

4. path-to-regexp - ReDoS vulnerability

5. axios - DoS via data URLs

Moderate Vulnerabilities (16)

6. request - SSRF vulnerability

7. express - Open redirect

8. tough-cookie - Prototype pollution

9. send - Template injection XSS

10. serve-static - Template injection XSS

11. @octokit/request-error - ReDoS vulnerability

12. esbuild - CORS vulnerability

13-18. Multiple Vite vulnerabilities

19. @octokit/request - ReDoS vulnerability

20. @octokit/plugin-paginate-rest - ReDoS vulnerability

21. axios - SSRF via absolute URLs

Low Vulnerabilities (6)

22. express - XSS via response.redirect

23. cookie - Out of bounds characters

24. tmp - Arbitrary file write via symlink

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SECURITY VULNERABILITIES #1554

Description

Summary

Critical Vulnerabilities (1)

1. form-data - Unsafe random function

High Vulnerabilities (4)

2. axios - SSRF via path relative URLs

3. body-parser - DoS vulnerability

4. path-to-regexp - ReDoS vulnerability

5. axios - DoS via data URLs

Moderate Vulnerabilities (16)

6. request - SSRF vulnerability

7. express - Open redirect

8. tough-cookie - Prototype pollution

9. send - Template injection XSS

10. serve-static - Template injection XSS

11. @octokit/request-error - ReDoS vulnerability

12. esbuild - CORS vulnerability

13-18. Multiple Vite vulnerabilities

19. @octokit/request - ReDoS vulnerability

20. @octokit/plugin-paginate-rest - ReDoS vulnerability

21. axios - SSRF via absolute URLs

Low Vulnerabilities (6)

22. express - XSS via response.redirect

23. cookie - Out of bounds characters

24. tmp - Arbitrary file write via symlink

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions