git-tools-2.130.18.tgz: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - git-tools-2.130.18.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 4aa27cc0191414a84d5a49cb36efd9ae5a144edf

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (git-tools version)	Remediation Possible**
CVE-2026-27601	High	7.5	underscore-1.13.7.tgz	Transitive	N/A*	❌
CVE-2026-25639	High	7.5	axios-1.8.2.tgz	Transitive	N/A*	❌
CVE-2025-58754	High	7.5	axios-1.8.2.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-27601

Vulnerable Library - underscore-1.13.7.tgz

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.13.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• git-tools-2.130.18.tgz (Root Library)
  • ❌ underscore-1.13.7.tgz (Vulnerable Library)

Found in HEAD commit: 4aa27cc0191414a84d5a49cb36efd9ae5a144edf

Found in base branch: main

Vulnerability Details

Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.

Publish Date: 2026-03-03

URL: CVE-2026-27601

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-03

Fix Resolution: underscore - 1.13.8,https://github.com/jashkenas/underscore.git - 1.13.8

Step up your Open Source Security Game with Mend here

CVE-2026-25639

Vulnerable Library - axios-1.8.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• git-tools-2.130.18.tgz (Root Library)
  • ❌ axios-1.8.2.tgz (Vulnerable Library)

Found in HEAD commit: 4aa27cc0191414a84d5a49cb36efd9ae5a144edf

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-09

URL: CVE-2026-25639

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-09

Fix Resolution: https://github.com/axios/axios.git - v1.13.5

Step up your Open Source Security Game with Mend here

CVE-2025-58754

Vulnerable Library - axios-1.8.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-1.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• git-tools-2.130.18.tgz (Root Library)
  • ❌ axios-1.8.2.tgz (Vulnerable Library)

Found in HEAD commit: 4aa27cc0191414a84d5a49cb36efd9ae5a144edf

Found in base branch: main

Vulnerability Details

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the "data:" scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory ("Buffer"/"Blob") and returns a synthetic 200 response. This path ignores "maxContentLength" / "maxBodyLength" (which only protect HTTP responses), so an attacker can supply a very large "data:" URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested "responseType: 'stream'". Versions 0.30.2 and 1.12.0 contain a patch for the issue.

Publish Date: 2025-09-12

URL: CVE-2025-58754

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4hjh-wcwx-xvwj

Release Date: 2025-09-12

Fix Resolution: https://github.com/axios/axios.git - v1.12.0,axios - 0.30.2,axios - 0.30.2,axios - 1.12.0,axios - 1.12.0

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.