@kleros/vea-relayer-cli-0.0.0.tgz: 4 vulnerabilities (highest severity is: 8.1) #195
Description
Vulnerable Library - @kleros/vea-relayer-cli-0.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@kleros/vea-relayer-cli version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-68154 |  High |
8.1 | systeminformation-5.25.11.tgz | Transitive | N/A* | ❌ |
| CVE-2025-64756 | High |
7.5 | glob-10.4.5.tgz | Transitive | N/A* | ❌ |
| CVE-2025-64718 |  Medium |
5.3 | js-yaml-4.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-5891 | Medium |
4.3 | pm2-6.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-68154
Vulnerable Library - systeminformation-5.25.11.tgz
Advanced, lightweight system and OS information library
Library home page: https://registry.npmjs.org/systeminformation/-/systeminformation-5.25.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/systeminformation-npm-5.25.11-e1c9348b68-10.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- pm2-sysmonit-1.2.8.tgz
- ❌ systeminformation-5.25.11.tgz (Vulnerable Library)
- pm2-sysmonit-1.2.8.tgz
- pm2-6.0.5.tgz
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the "fsSize()" function in systeminformation is vulnerable to OS command injection on Windows systems. The optional "drive" parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to "fsSize()", it is not vulnerable. Version 5.27.14 contains a patch.
Publish Date: 2025-12-16
URL: CVE-2025-68154
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/sebhildebrandt/systeminformation.git - v5.27.14,systeminformation - 5.27.14
Step up your Open Source Security Game with Mend here
CVE-2025-64756
Vulnerable Library - glob-10.4.5.tgz
Library home page: https://registry.npmjs.org/glob/-/glob-10.4.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/glob-npm-10.4.5-8c63175f05-698dfe1182.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- chokidar-3.6.0.tgz
- fsevents-2.3.3.tgz
- node-gyp-11.2.0.tgz
- make-fetch-happen-14.0.3.tgz
- cacache-19.0.1.tgz
- ❌ glob-10.4.5.tgz (Vulnerable Library)
- cacache-19.0.1.tgz
- make-fetch-happen-14.0.3.tgz
- node-gyp-11.2.0.tgz
- fsevents-2.3.3.tgz
- chokidar-3.6.0.tgz
- pm2-6.0.5.tgz
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-11-17
URL: CVE-2025-64756
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5j98-mcp5-4vw2
Release Date: 2025-11-17
Fix Resolution: https://github.com/isaacs/node-glob.git - v10.5.0,glob - 11.1.0,https://github.com/isaacs/node-glob.git - v11.1.0,glob - 10.5.0
Step up your Open Source Security Game with Mend here
CVE-2025-64718
Vulnerable Library - js-yaml-4.1.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/js-yaml-npm-4.1.0-3606f32312-c138a34a3f.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- pm2-6.0.5.tgz
- ❌ js-yaml-4.1.0.tgz (Vulnerable Library)
- pm2-6.0.5.tgz
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution ("proto"). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1. Users can protect against this kind of attack on the server by using "node --disable-proto=delete" or "deno" (in Deno, pollution protection is on by default).
Publish Date: 2025-11-13
URL: CVE-2025-64718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-mh29-5h37-fv8m
Release Date: 2025-11-13
Fix Resolution: js-yaml - 4.1.1,js-yaml - 3.14.2
Step up your Open Source Security Game with Mend here
CVE-2025-5891
Vulnerable Library - pm2-6.0.5.tgz
Production process manager for Node.JS applications with a built-in load balancer.
Library home page: https://registry.npmjs.org/pm2/-/pm2-6.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /.yarn/cache/pm2-npm-6.0.5-527bc8221a-1c45db52ab.zip
Dependency Hierarchy:
- @kleros/vea-relayer-cli-0.0.0.tgz (Root Library)
- ❌ pm2-6.0.5.tgz (Vulnerable Library)
Found in HEAD commit: e4b400a194736d43c80cc6cf04d0e45387031355
Found in base branch: dev
Vulnerability Details
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Publish Date: 2025-06-09
URL: CVE-2025-5891
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Step up your Open Source Security Game with Mend here