@carbon/ibmdotcom-services-store-1.53.6.tgz: 6 vulnerabilities (highest severity is: 8.7) #12187
Description
Vulnerable Library - @carbon/ibmdotcom-services-store-1.53.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/dompurify-npm-2.5.6-535512fe69-ef5fdc075e.zip
Found in HEAD commit: 93b3c5eb479620842f0752d73ba2690cd250e2fc
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@carbon/ibmdotcom-services-store version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-7783 |  High |
8.7 | form-data-4.0.0.tgz | Transitive | N/A* | ❌ |
| WS-2023-0439 | High |
7.5 | axios-0.27.2.tgz | Transitive | N/A* | ❌ |
| CVE-2025-27152 | High |
7.5 | axios-0.27.2.tgz | Transitive | N/A* | ❌ |
| CVE-2023-45857 |  Medium |
6.5 | axios-0.27.2.tgz | Transitive | N/A* | ❌ |
| WS-2024-0017 | Medium |
6.1 | dompurify-2.5.6.tgz | Transitive | N/A* | ❌ |
| CVE-2025-26791 | Medium |
4.5 | dompurify-2.5.6.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-7783
Vulnerable Library - form-data-4.0.0.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/form-data-npm-4.0.0-916facec2d-7264aa760a.zip
Dependency Hierarchy:
- @carbon/ibmdotcom-services-store-1.53.6.tgz (Root Library)
- ibmdotcom-services-1.53.0.tgz
- axios-0.27.2.tgz
- ❌ form-data-4.0.0.tgz (Vulnerable Library)
- axios-0.27.2.tgz
- ibmdotcom-services-1.53.0.tgz
Found in HEAD commit: 93b3c5eb479620842f0752d73ba2690cd250e2fc
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: form-data/form-data@3d17230
Release Date: 2025-07-18
Fix Resolution: https://github.com/form-data/form-data.git - v3.0.4
WS-2023-0439
Vulnerable Library - axios-0.27.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.27.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/axios-npm-0.27.2-dbe3a48aea-2efaf18dd0.zip
Dependency Hierarchy:
- @carbon/ibmdotcom-services-store-1.53.6.tgz (Root Library)
- ibmdotcom-services-1.53.0.tgz
- ❌ axios-0.27.2.tgz (Vulnerable Library)
- ibmdotcom-services-1.53.0.tgz
Found in HEAD commit: 93b3c5eb479620842f0752d73ba2690cd250e2fc
Found in base branch: main
Vulnerability Details
Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.
Publish Date: 2023-10-25
URL: WS-2023-0439
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2025-27152
Vulnerable Library - axios-0.27.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.27.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/axios-npm-0.27.2-dbe3a48aea-2efaf18dd0.zip
Dependency Hierarchy:
- @carbon/ibmdotcom-services-store-1.53.6.tgz (Root Library)
- ibmdotcom-services-1.53.0.tgz
- ❌ axios-0.27.2.tgz (Vulnerable Library)
- ibmdotcom-services-1.53.0.tgz
Found in HEAD commit: 93b3c5eb479620842f0752d73ba2690cd250e2fc
Found in base branch: main
Vulnerability Details
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
Publish Date: 2025-03-07
URL: CVE-2025-27152
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-27152
Release Date: 2025-03-07
Fix Resolution: org.webjars.npm:axios:1.8.3
CVE-2023-45857
Vulnerable Library - axios-0.27.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.27.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/axios-npm-0.27.2-dbe3a48aea-2efaf18dd0.zip
Dependency Hierarchy:
- @carbon/ibmdotcom-services-store-1.53.6.tgz (Root Library)
- ibmdotcom-services-1.53.0.tgz
- ❌ axios-0.27.2.tgz (Vulnerable Library)
- ibmdotcom-services-1.53.0.tgz
Found in HEAD commit: 93b3c5eb479620842f0752d73ba2690cd250e2fc
Found in base branch: main
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-wf5p-g6vw-rhxx
Release Date: 2023-11-08
Fix Resolution: org.webjars.npm:axios:1.6.0
WS-2024-0017
Vulnerable Library - dompurify-2.5.6.tgz
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.5.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/dompurify-npm-2.5.6-535512fe69-ef5fdc075e.zip
Dependency Hierarchy:
- @carbon/ibmdotcom-services-store-1.53.6.tgz (Root Library)
- ibmdotcom-utilities-1.53.0.tgz
- isomorphic-dompurify-0.27.0.tgz
- ❌ dompurify-2.5.6.tgz (Vulnerable Library)
- isomorphic-dompurify-0.27.0.tgz
- ibmdotcom-utilities-1.53.0.tgz
Found in HEAD commit: 93b3c5eb479620842f0752d73ba2690cd250e2fc
Found in base branch: main
Vulnerability Details
Insufficient checks in DOMPurify allows an attacker to bypass sanitizers and execute arbitrary JavaScript code. This issue affects versions before 2.5.8 and 3.x before 3.2.3.
Publish Date: 2024-02-08
URL: WS-2024-0017
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://github.com/cure53/DOMPurify/releases/tag/2.5.8
Release Date: 2024-02-08
Fix Resolution: domPurify - 2.5.8,3.2.3
CVE-2025-26791
Vulnerable Library - dompurify-2.5.6.tgz
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.5.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/dompurify-npm-2.5.6-535512fe69-ef5fdc075e.zip
Dependency Hierarchy:
- @carbon/ibmdotcom-services-store-1.53.6.tgz (Root Library)
- ibmdotcom-utilities-1.53.0.tgz
- isomorphic-dompurify-0.27.0.tgz
- ❌ dompurify-2.5.6.tgz (Vulnerable Library)
- isomorphic-dompurify-0.27.0.tgz
- ibmdotcom-utilities-1.53.0.tgz
Found in HEAD commit: 93b3c5eb479620842f0752d73ba2690cd250e2fc
Found in base branch: main
Vulnerability Details
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
Publish Date: 2025-02-14
URL: CVE-2025-26791
CVSS 3 Score Details (4.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-26791
Release Date: 2025-02-14
Fix Resolution: dompurify - 3.2.4