Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/scratch-vm@0.1.0-prerelease.1480351396
Typenpm
Namespace
Namescratch-vm
Version0.1.0-prerelease.1480351396
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.2.0-prerelease.20200714185213
Latest_non_vulnerable_version0.2.0-prerelease.20200714185213
Affected_by_vulnerabilities
0
url VCID-19qw-nw8m-huat
vulnerability_id VCID-19qw-nw8m-huat
summary 
Deserialization of Untrusted Data
MIT Lifelong Kindergarten Scratch scratch-vm loads extension URLs from untrusted `project.json` files with certain `_` characters, resulting in remote code execution because the URL content is treated as a script and is executed as a worker. The responsible code is `getExtensionIdForOpcode` in `serialization/sb3.js`. The use of `_` is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-14000
reference_id
reference_type
scores
0
value 0.06601
scoring_system epss
scoring_elements 0.91341
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-14000
1
reference_url https://github.com/LLK/scratch-vm
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/LLK/scratch-vm
2
reference_url https://github.com/LLK/scratch-vm/pull/2476
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/LLK/scratch-vm/pull/2476
3
reference_url https://github.com/LLK/scratch-vm/pull/2476/commits/90b9da45f4084958535338d1c4d71a22d6136aab
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/LLK/scratch-vm/pull/2476/commits/90b9da45f4084958535338d1c4d71a22d6136aab
4
reference_url https://scratch.mit.edu/discuss/topic/422904/?page=1#post-4223443
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://scratch.mit.edu/discuss/topic/422904/?page=1#post-4223443
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-14000
reference_id CVE-2020-14000
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-14000
fixed_packages
0
url pkg:npm/scratch-vm@0.2.0-prerelease.20200714185213
purl pkg:npm/scratch-vm@0.2.0-prerelease.20200714185213
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/scratch-vm@0.2.0-prerelease.20200714185213
aliases CVE-2020-14000, GHSA-vc9j-fhvv-8vrf
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-19qw-nw8m-huat
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/scratch-vm@0.1.0-prerelease.1480351396