jsforce-1.10.1.tgz: 6 vulnerabilities (highest severity is: 9.8) #1
Description
Vulnerable Library - jsforce-1.10.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Found in HEAD commit: 6c2472f76d5075744210c464ff58166a1ba83f61
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (jsforce version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2021-3918 |  Critical |
9.8 | json-schema-0.2.3.tgz | Transitive | 1.11.0 | ✅ |
| CVE-2025-7783 |  High |
8.7 | form-data-2.3.3.tgz | Transitive | 3.1.0 | ✅ |
| CVE-2022-24999 | High |
7.5 | qs-6.5.2.tgz | Transitive | 1.11.0 | ✅ |
| CVE-2023-26136 |  Medium |
6.5 | detected in multiple dependencies | Transitive | 3.1.0 | ✅ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
| CVE-2023-0842 | Medium |
5.3 | xml2js-0.4.23.tgz | Transitive | 1.11.1 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
- jsforce-1.10.1.tgz (Root Library)
- request-2.88.2.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
- jsprim-1.4.1.tgz
- http-signature-1.2.0.tgz
- request-2.88.2.tgz
Found in HEAD commit: 6c2472f76d5075744210c464ff58166a1ba83f61
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (jsforce): 1.11.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-7783
Vulnerable Library - form-data-2.3.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/form-data/package.json
Dependency Hierarchy:
- jsforce-1.10.1.tgz (Root Library)
- request-2.88.2.tgz
- ❌ form-data-2.3.3.tgz (Vulnerable Library)
- request-2.88.2.tgz
Found in HEAD commit: 6c2472f76d5075744210c464ff58166a1ba83f61
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-07-18
Fix Resolution (form-data): 2.5.4
Direct dependency fix Resolution (jsforce): 3.1.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/node_modules/qs/package.json
Dependency Hierarchy:
- jsforce-1.10.1.tgz (Root Library)
- request-2.88.2.tgz
- ❌ qs-6.5.2.tgz (Vulnerable Library)
- request-2.88.2.tgz
Found in HEAD commit: 6c2472f76d5075744210c464ff58166a1ba83f61
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (jsforce): 1.11.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-26136
Vulnerable Libraries - tough-cookie-4.0.0.tgz, tough-cookie-2.5.0.tgz
tough-cookie-4.0.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie/package.json
Dependency Hierarchy:
- jsforce-1.10.1.tgz (Root Library)
- faye-1.4.0.tgz
- ❌ tough-cookie-4.0.0.tgz (Vulnerable Library)
- faye-1.4.0.tgz
tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/node_modules/tough-cookie/package.json
Dependency Hierarchy:
- jsforce-1.10.1.tgz (Root Library)
- request-2.88.2.tgz
- ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)
- request-2.88.2.tgz
Found in HEAD commit: 6c2472f76d5075744210c464ff58166a1ba83f61
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (jsforce): 3.1.0
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (jsforce): 3.1.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- jsforce-1.10.1.tgz (Root Library)
- ❌ request-2.88.2.tgz (Vulnerable Library)
Found in HEAD commit: 6c2472f76d5075744210c464ff58166a1ba83f61
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
CVE-2023-0842
Vulnerable Library - xml2js-0.4.23.tgz
Simple XML to JavaScript object converter.
Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xml2js/package.json
Dependency Hierarchy:
- jsforce-1.10.1.tgz (Root Library)
- ❌ xml2js-0.4.23.tgz (Vulnerable Library)
Found in HEAD commit: 6c2472f76d5075744210c464ff58166a1ba83f61
Found in base branch: main
Vulnerability Details
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-04-05
URL: CVE-2023-0842
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842
Release Date: 2023-04-05
Fix Resolution (xml2js): 0.5.0
Direct dependency fix Resolution (jsforce): 1.11.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.