Description
Vulnerable Library - actions-toolkit-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/windows-release/node_modules/cross-spawn/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (actions-toolkit version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-44906 |  Critical |
9.8 | Not Defined | 2.3% | minimist-1.2.5.tgz | Transitive | N/A* | ❌ | |
| CVE-2024-21538 |  High |
7.5 | Proof of concept | 0.0% | cross-spawn-6.0.5.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-25290 |  Medium |
5.3 | Not Defined | 0.0% | request-5.4.10.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-25289 | Medium |
5.3 | Not Defined | 0.0% | request-error-2.0.3.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-25288 | Medium |
5.3 | Not Defined | 0.0% | plugin-paginate-rest-2.6.0.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-25285 | Medium |
5.3 | Not Defined | 0.0% | endpoint-6.0.9.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-25883 | Medium |
5.3 | Proof of concept | 0.5% | semver-5.7.1.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-35954 | Medium |
5.0 | Not Defined | 0.1% | core-1.2.6.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- ❌ minimist-1.2.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution: minimist - 0.2.4,1.2.6
CVE-2024-21538
Vulnerable Library - cross-spawn-6.0.5.tgz
Cross platform child_process#spawn and child_process#spawnSync
Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/windows-release/node_modules/cross-spawn/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- rest-17.11.2.tgz
- core-2.5.4.tgz
- universal-user-agent-5.0.0.tgz
- os-name-3.1.0.tgz
- windows-release-3.3.3.tgz
- execa-1.0.0.tgz
- ❌ cross-spawn-6.0.5.tgz (Vulnerable Library)
- execa-1.0.0.tgz
- windows-release-3.3.3.tgz
- os-name-3.1.0.tgz
- universal-user-agent-5.0.0.tgz
- core-2.5.4.tgz
- rest-17.11.2.tgz
Found in base branch: main
Vulnerability Details
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Publish Date: 2024-11-08
URL: CVE-2024-21538
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538
Release Date: 2024-11-08
Fix Resolution: cross-spawn - 7.0.5
CVE-2025-25290
Vulnerable Library - request-5.4.10.tgz
Send parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node
Library home page: https://registry.npmjs.org/@octokit/request/-/request-5.4.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@octokit/request/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- rest-17.11.2.tgz
- core-2.5.4.tgz
- ❌ request-5.4.10.tgz (Vulnerable Library)
- core-2.5.4.tgz
- rest-17.11.2.tgz
Found in base branch: main
Vulnerability Details
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to version 9.2.1, the regular expression "/<([^>]+)>; rel="deprecation"/" used to match the "link" header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious "link" header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Version 9.2.1 fixes the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25290
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-rmvr-2pp2-xj38
Release Date: 2025-02-14
Fix Resolution: @octokit/request - 9.2.1
CVE-2025-25289
Vulnerable Library - request-error-2.0.3.tgz
Error class for Octokit request errors
Library home page: https://registry.npmjs.org/@octokit/request-error/-/request-error-2.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@octokit/request-error/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- rest-17.11.2.tgz
- core-2.5.4.tgz
- request-5.4.10.tgz
- ❌ request-error-2.0.3.tgz (Vulnerable Library)
- request-5.4.10.tgz
- core-2.5.4.tgz
- rest-17.11.2.tgz
Found in base branch: main
Vulnerability Details
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25289
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-02-14
Fix Resolution: @octokit/request-error - 5.1.1,6.1.7
CVE-2025-25288
Vulnerable Library - plugin-paginate-rest-2.6.0.tgz
Octokit plugin to paginate REST API endpoint responses
Library home page: https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@octokit/plugin-paginate-rest/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- rest-17.11.2.tgz
- ❌ plugin-paginate-rest-2.6.0.tgz (Vulnerable Library)
- rest-17.11.2.tgz
Found in base branch: main
Vulnerability Details
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package "@octokit/plugin-paginate-rest", when calling "octokit.paginate.iterator()", a specially crafted "octokit" instance—particularly with a malicious "link" parameter in the "headers" section of the "request"—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25288
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-h5c3-5r3r-rr8q
Release Date: 2025-02-14
Fix Resolution: @octokit/plugin-paginate-rest - 11.4.1
CVE-2025-25285
Vulnerable Library - endpoint-6.0.9.tgz
Turns REST API endpoints into generic request options
Library home page: https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@octokit/endpoint/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- rest-17.11.2.tgz
- core-2.5.4.tgz
- request-5.4.10.tgz
- ❌ endpoint-6.0.9.tgz (Vulnerable Library)
- request-5.4.10.tgz
- core-2.5.4.tgz
- rest-17.11.2.tgz
Found in base branch: main
Vulnerability Details
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific "options" parameters, the "endpoint.parse(options)" call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the "parse" function within the "parse.ts" file of the npm package "@octokit/endpoint". Version 10.1.3 contains a patch for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25285
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-x4c5-c7rf-jjgv
Release Date: 2025-02-14
Fix Resolution: @octokit/endpoint - 9.0.6,10.1.3
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- rest-17.11.2.tgz
- core-2.5.4.tgz
- universal-user-agent-5.0.0.tgz
- os-name-3.1.0.tgz
- windows-release-3.3.3.tgz
- execa-1.0.0.tgz
- cross-spawn-6.0.5.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
- cross-spawn-6.0.5.tgz
- execa-1.0.0.tgz
- windows-release-3.3.3.tgz
- os-name-3.1.0.tgz
- universal-user-agent-5.0.0.tgz
- core-2.5.4.tgz
- rest-17.11.2.tgz
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.5%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
CVE-2022-35954
Vulnerable Library - core-1.2.6.tgz
Actions core lib
Library home page: https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@actions/core/package.json
Dependency Hierarchy:
- actions-toolkit-6.0.1.tgz (Root Library)
- ❌ core-1.2.6.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.
Publish Date: 2022-08-13
URL: CVE-2022-35954
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954
Release Date: 2022-08-13
Fix Resolution: @actions/core - 1.9.1
Activity