From 26dfce3a3968964065b37deb996b1a69362b6998 Mon Sep 17 00:00:00 2001 From: Create or Update Pull Request Action Date: Tue, 27 Jan 2026 12:41:21 +0000 Subject: [PATCH] vuln: update deps index.json --- vuln/deps/index.json | 118 +++++++++++++++++++++---------------------- 1 file changed, 59 insertions(+), 59 deletions(-) diff --git a/vuln/deps/index.json b/vuln/deps/index.json index 4ae207d7..5dab377f 100644 --- a/vuln/deps/index.json +++ b/vuln/deps/index.json @@ -1,61 +1,61 @@ { - "1": { - "cve": [ - "CVE-2023-45853" - ], - "description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field.", - "overview": "This CVE was created for MiniZip (part of zlib/contrib/minizip), which is not used by Node.js. Node.js uses zlib for compression but does not use the MiniZip component where this vulnerability exists.", - "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/205", - "reason": "vulnerable_code_not_present" - }, - "2": { - "cve": [ - "CVE-2024-7535" - ], - "description": "Inappropriate implementation in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", - "overview": "This V8 vulnerability does not fall within Node.js's threat model. The vulnerable code path is not exposed through Node.js APIs and cannot be exploited in normal Node.js usage.", - "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/190", - "reason": "vulnerable_code_not_in_execute_path" - }, - "3": { - "cve": [ - "CVE-2024-4761", - "CVE-2024-4947", - "CVE-2024-5274" - ], - "description": "Out of bounds write in V8. Type Confusion in V8. Type confusion in V8 in Google Chrome.", - "overview": "These V8 vulnerabilities do not fall within Node.js's threat model. The vulnerable code paths are not exposed through Node.js APIs.", - "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/191", - "reason": "vulnerable_code_not_in_execute_path" - }, - "4": { - "cve": [ - "CVE-2024-3159", - "CVE-2024-3156" - ], - "description": "V8 vulnerabilities in JavaScript engine", - "overview": "These V8 vulnerabilities do not affect Node.js. The vulnerable functionality is not exposed in Node.js's implementation.", - "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/184", - "reason": "vulnerable_code_not_in_execute_path" - }, - "5": { - "cve": [ - "CVE-2024-13176" - ], - "description": "OpenSSL security vulnerability", - "overview": "This OpenSSL vulnerability does not affect Node.js. Node.js's usage of OpenSSL does not trigger the vulnerable code path.", - "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/201", - "reason": "vulnerable_code_not_in_execute_path" - }, - "6": { - "cve": [ - "CVE-2025-9230", - "CVE-2025-9231", - "CVE-2025-9232" - ], - "description": "OpenSSL security vulnerabilities", - "overview": "These OpenSSL vulnerabilities do not affect Node.js. Node.js's usage of OpenSSL does not trigger the vulnerable code paths.", - "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/213", - "reason": "vulnerable_code_not_in_execute_path" - } + "1": { + "cve": [ + "CVE-2023-45853" + ], + "description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field.", + "overview": "This CVE was created for MiniZip (part of zlib/contrib/minizip), which is not used by Node.js. Node.js uses zlib for compression but does not use the MiniZip component where this vulnerability exists.", + "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/205", + "reason": "vulnerable_code_not_present" + }, + "2": { + "cve": [ + "CVE-2024-7535" + ], + "description": "Inappropriate implementation in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "overview": "This V8 vulnerability does not fall within Node.js's threat model. The vulnerable code path is not exposed through Node.js APIs and cannot be exploited in normal Node.js usage.", + "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/190", + "reason": "vulnerable_code_not_in_execute_path" + }, + "3": { + "cve": [ + "CVE-2024-4761", + "CVE-2024-4947", + "CVE-2024-5274" + ], + "description": "Out of bounds write in V8. Type Confusion in V8. Type confusion in V8 in Google Chrome.", + "overview": "These V8 vulnerabilities do not fall within Node.js's threat model. The vulnerable code paths are not exposed through Node.js APIs.", + "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/191", + "reason": "vulnerable_code_not_in_execute_path" + }, + "4": { + "cve": [ + "CVE-2024-3159", + "CVE-2024-3156" + ], + "description": "V8 vulnerabilities in JavaScript engine", + "overview": "These V8 vulnerabilities do not affect Node.js. The vulnerable functionality is not exposed in Node.js's implementation.", + "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/184", + "reason": "vulnerable_code_not_in_execute_path" + }, + "5": { + "cve": [ + "CVE-2024-13176" + ], + "description": "OpenSSL security vulnerability", + "overview": "This OpenSSL vulnerability does not affect Node.js. Node.js's usage of OpenSSL does not trigger the vulnerable code path.", + "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/201", + "reason": "vulnerable_code_not_in_execute_path" + }, + "6": { + "cve": [ + "CVE-2025-9230", + "CVE-2025-9231", + "CVE-2025-9232" + ], + "description": "OpenSSL security vulnerabilities", + "overview": "These OpenSSL vulnerabilities do not affect Node.js. Node.js's usage of OpenSSL does not trigger the vulnerable code paths.", + "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/213", + "reason": "vulnerable_code_not_in_execute_path" + } } \ No newline at end of file