Components Vulnerabilities Pricing MCP API

@aerogear/voyager-client 2.3.1-dev.1 | Vul… | Sonatype Guide

@aerogear/voyager-client

2.3.1-dev.1

@aerogear/voyager-client 2.3.1-dev.1

PublishedMar 12, 2019•Policy

compliance

Developer Trust Score

N/A

Recommended Version:x.y.z

Latest version with 0 known vulnerabilities that meets your policy.

Compare Versions

Severity

Critical (17)

High (0)

Medium (0)

Low (0)

CVSS Score

0.010.0

EPSS Score

0.01.0

Malware

KEV StatusPublished

9.1CVE-2025-9288

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

SeverityCritical

PublishedAug 21, 2025

9.1CVE-2025-6545

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.

SeverityCritical

9.0sonatype-2025-000528

elliptic - Exposure of Sensitive Information to an Unauthorized Actor

SeverityCritical

PublishedFeb 13, 2025

9.1CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

SeverityCritical

9.1CVE-2024-42461

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

SeverityCritical

9.8CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

SeverityCritical

9.8CVE-2022-2421

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

SeverityCritical

9.8CVE-2022-37601

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

SeverityCritical

PublishedOct 13, 2022

9.4CVE-2021-31597

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

SeverityCritical

PublishedApr 27, 2021

9.4sonatype-2021-0459

unset-value - Prototype Pollution

SeverityCritical

PublishedApr 19, 2021

9.8sonatype-2020-0739

lodash - Prototype Pollution

SeverityCritical

PublishedAug 19, 2020

9.8sonatype-2019-0500

lodash - Prototype Pollution via _.template

SeverityCritical

9.1CVE-2019-10744

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

SeverityCritical

9.8CVE-2019-10747

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.

SeverityCritical

9.8CVE-2019-10746

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

SeverityCritical

9.8sonatype-2019-0206

execa - OS Command Injection

SeverityCritical

PublishedMay 7, 2019

9.8sonatype-2019-0120

js-yaml - Remote Code Execution (RCE)

SeverityCritical

PublishedApr 10, 2019

Jun 24, 2025

Oct 10, 2024

Aug 2, 2024

Mar 13, 2023

Oct 27, 2022

Published

Nov 26, 2019

Published

Jul 4, 2019

Jun 25, 2019

Jun 25, 2019