Components Vulnerabilities Pricing MCP API

@qelos/assets 3.7.4 | Vulnerabilities | Sonatype Guide

@qelos/assets

3.7.4

@qelos/assets 3.7.4

PublishedNov 5, 2024•Policy

compliance

Developer Trust Score

N/A

Recommended Version:x.y.z

Latest version with 0 known vulnerabilities that meets your policy.

Compare Versions

Severity

Critical (9)

High (0)

Medium (0)

Low (0)

CVSS Score

0.010.0

EPSS Score

0.01.0

Malware

KEV StatusPublished

9.4CVE-2025-7783

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

SeverityCritical

PublishedJul 23, 2025

9.3CVE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

SeverityCritical

PublishedDec 3, 2024

9.8CVE-2023-42282

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

SeverityCritical

PublishedFeb 12, 2024

9.8sonatype-2023-3090

vm2 - Protection Mechanism Failure [CVE-2023-37903]

SeverityCritical

PublishedJul 14, 2023

9.8sonatype-2023-3071

vm2 - Remote Code Execution (RCE)

SeverityCritical

PublishedJul 14, 2023

10.0CVE-2023-32314

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

SeverityCritical

PublishedMay 17, 2023

10.0CVE-2023-30547

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.

SeverityCritical

PublishedApr 18, 2023

10.0CVE-2023-29199

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.

SeverityCritical

PublishedApr 12, 2023

9.8CVE-2023-29017

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

SeverityCritical

PublishedApr 7, 2023