CVE-2022-38900 (npm/decode-uri-component) found on v14.x dependancy #98
Labels
Comments
|
@siemenstan do you know how/if it affects npm as that will depend on what APIs are used from decode-uri-component right? |
mhdawson
changed the title
|
@mhdawson No, my app doesn't use the decode-uri-component. It's just my company security scan system is picking up this public CVE from my app container image with the node 14.x image. Btw, following the CVE-2022-3517 issue, it has been addressed in pr#45936 |
|
@nodejs/npm could you check if that affect Node.js itself? |
|
nodejs/node#45936 addresses this |
|
Believe this was addressed by recent security release, closing |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
@RafaelGSS
This public CVE is reported against decode-uri-component, which is a dependency of the npm in NodeJs 14.x.
Vulnerability ID: CVE-2022-38900
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2022-38900
found in node-v14.21.2-linux-x64-musl.tar.xz (lib\node_modules\npm\node_modules\decode-uri-component)
src: node/deps/npm/node_modules/decode-uri-component/
The text was updated successfully, but these errors were encountered: