NPM Audit Report

Overview

Connect is a stack of middleware that is executed in order in each request.

The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".

Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.

###Example:

~ curl "localhost:3000" -d "_method=<script src=http://nodesecurity.io/xss.js></script>"
Cannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> /

Findings

• weinre>express>connect

Remediation

Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.

References

(2013-06-27) Bug reported: https://github.com/senchalabs/connect/issues/831

(2013-06-27) First fix: escape req.method output https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135

(2013-06-27) Second fix: whitelist https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a

Overview

Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

Findings

• weinre>express

Remediation

For express 3.x, update express to version 3.11 or later. For express 4.x, update express to version 4.5 or later.

Overview

Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.

Findings

• weinre>express>qs

Remediation

Update to version 1.0.0 or later

Overview

Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.

Findings

• weinre>express>qs

Remediation

Update to version 1.0.0 or later.

References

• https://github.com/visionmedia/node-querystring/issues/104

Overview

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Findings

• weinre>express>mime

Remediation

Update to version 2.0.3 or later.

References

Issue #167

Overview

Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in.

The package does come with the following warning in the readme:

The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.

Findings

• open
• open-browser-webpack-plugin>open

Remediation

open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.

References

• HackerOne Report

Overview

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Findings

• babel-jest>babel-plugin-istanbul>test-exclude>micromatch>braces
• jest>jest-cli>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>babel-plugin-istanbul>test-exclude>micromatch>braces
• jest>jest-cli>jest-runtime>babel-plugin-istanbul>test-exclude>micromatch>braces

• jest>jest-cli>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-environment-jsdom>jest-util>jest-message-util>micromatch>braces
• jest-environment-jsdom>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-jasmine2>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-config>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-util>jest-message-util>micromatch>braces
• jest>jest-cli>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-jasmine2>expect>jest-message-util>micromatch>braces
• jest>jest-cli>jest-config>jest-jasmine2>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-jasmine2>jest-message-util>micromatch>braces
• jest>jest-cli>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-resolve-dependencies>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-snapshot>jest-message-util>micromatch>braces
• jest>jest-cli>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-message-util>micromatch>braces
• jest>jest-cli>jest-runtime>jest-message-util>micromatch>braces

• jest>jest-cli>jest-config>micromatch>braces
• jest>jest-cli>jest-runner>jest-config>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-config>micromatch>braces
• jest>jest-cli>jest-runtime>jest-config>micromatch>braces

• jest>jest-cli>jest-haste-map>micromatch>braces
• jest>jest-cli>jest-runner>jest-haste-map>micromatch>braces
• jest>jest-cli>jest-runner>jest-runtime>jest-haste-map>micromatch>braces
• jest>jest-cli>jest-runtime>jest-haste-map>micromatch>braces

• jest>jest-cli>jest-runner>jest-runtime>micromatch>braces
• jest>jest-cli>jest-runtime>micromatch>braces

• jest>jest-cli>micromatch>braces

Remediation

Upgrade to version 2.3.1 or higher.

References

• GitHub Commit

Overview

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Findings

• uglifyjs-webpack-plugin>serialize-javascript

Remediation

Upgrade to version 2.1.1 or later.

References

• GitHub advisory

Overview

Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.

Findings

• weinre>express>qs

Remediation

Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.

References

• GitHub Issue
• Snyk Report

Overview

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Findings

• jest>jest-cli>jest-runner>jest-runtime>yargs>yargs-parser
• jest>jest-cli>jest-runtime>yargs>yargs-parser
• jest>jest-cli>yargs>yargs-parser

Remediation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

References

• Snyk Report

Overview

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.

The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

Findings

• uglifyjs-webpack-plugin>serialize-javascript

Remediation

Upgrade to version 3.1.0 or later.

References

• GitHub Advisory

Overview

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Findings

• @material-ui/core>recompose>fbjs>isomorphic-fetch>node-fetch
• @material-ui/icons>recompose>fbjs>isomorphic-fetch>node-fetch

Remediation

Upgrade to version 2.6.1 or 3.0.0-beta.9

References

• https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r

Overview

Versions of merge before 2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Findings

• jest>jest-cli>jest-haste-map>sane>exec-sh>merge
• jest>jest-cli>jest-runner>jest-haste-map>sane>exec-sh>merge
• jest>jest-cli>jest-runner>jest-runtime>jest-haste-map>sane>exec-sh>merge
• jest>jest-cli>jest-runtime>jest-haste-map>sane>exec-sh>merge
• jest>jest-cli>jest-haste-map>sane>watch>exec-sh>merge
• jest>jest-cli>jest-runner>jest-haste-map>sane>watch>exec-sh>merge
• jest>jest-cli>jest-runner>jest-runtime>jest-haste-map>sane>watch>exec-sh>merge
• jest>jest-cli>jest-runtime>jest-haste-map>sane>watch>exec-sh>merge

Remediation

Upgrade to version 2.1.1 or later

References

• CVE
• GitHub Advisory

Overview

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Findings

• weinre>underscore

Remediation

Upgrade to versions 1.12.1 or 1.13.0-2 or later

References

• CVE
• GitHub Advisory

Overview

In ws before versions 5.2.3, 6.2.2 and 7.4.6 there is a ReDOS vulnerability.

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

Findings

• jest>jest-cli>jest-config>jest-environment-jsdom>jsdom>ws
• jest>jest-cli>jest-runner>jest-config>jest-environment-jsdom>jsdom>ws
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws
• jest>jest-cli>jest-runtime>jest-config>jest-environment-jsdom>jsdom>ws
• jest>jest-cli>jest-environment-jsdom>jsdom>ws
• jest-environment-jsdom>jsdom>ws

• jest-enzyme>jest-environment-enzyme>jest-environment-jsdom>jsdom>ws

Remediation

Upgrade to version 5.2.3 or 6.2.2 or 7.4.6 or later

References

• CVE
• GitHub Advisory

Overview

glob-parent before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.

Findings

• @babel/cli>@nicolo-ribaudo/chokidar-2>glob-parent
• eslint-watch>chokidar>glob-parent
• webpack>watchpack>watchpack-chokidar2>chokidar>glob-parent
• webpack-dev-server>chokidar>glob-parent

• babel-jest>babel-plugin-istanbul>test-exclude>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>babel-jest>babel-plugin-istanbul>test-exclude>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>babel-plugin-istanbul>test-exclude>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>babel-plugin-istanbul>test-exclude>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>jest-environment-jsdom>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-environment-jsdom>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest-environment-jsdom>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>jest-environment-node>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-jasmine2>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-util>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>expect>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-jasmine2>expect>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>jest-jasmine2>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-jasmine2>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-jasmine2>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-resolve-dependencies>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-snapshot>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-message-util>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-config>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-config>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-config>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-config>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-haste-map>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-haste-map>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>jest-haste-map>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>jest-haste-map>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runner>jest-runtime>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>jest-runtime>micromatch>parse-glob>glob-base>glob-parent
• jest>jest-cli>micromatch>parse-glob>glob-base>glob-parent

Remediation

Upgrade to version 5.1.2 or later

References

• CVE
• GitHub Advisory