{"url":"http://public2.vulnerablecode.io/api/packages/268665?format=json","purl":"pkg:npm/apostrophe@2.96.2","type":"npm","namespace":"","name":"apostrophe","version":"2.96.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.4.0","latest_non_vulnerable_version":"4.29.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53191?format=json","vulnerability_id":"VCID-5v79-remg-7ub4","summary":"Denial of Service in apostrophe\nVersions of `apostrophe` prior to 2.97.1 are vulnerable to Denial of Service. The `apostrophe-jobs` module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory.\n\n\n## Recommendation\n\nUpgrade to version 2.97.1 or later.","references":[{"reference_url":"https://www.npmjs.com/advisories/1183","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1183"},{"reference_url":"https://github.com/advisories/GHSA-pv6r-vchh-cxg9","reference_id":"GHSA-pv6r-vchh-cxg9","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pv6r-vchh-cxg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78225?format=json","purl":"pkg:npm/apostrophe@2.97.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-82j4-a56g-3kbq"},{"vulnerability":"VCID-dsd6-hfud-ekfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@2.97.1"}],"aliases":["GHSA-pv6r-vchh-cxg9","GMS-2020-705"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5v79-remg-7ub4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41681?format=json","vulnerability_id":"VCID-82j4-a56g-3kbq","summary":"Insufficient Session Expiration\nApostrophe CMS versions between which allows unauthenticated remote attackers to hijack recently logged-in users' sessions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25979","reference_id":"","reference_type":"","scores":[{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58747","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00363","scoring_system":"epss","scoring_elements":"0.58701","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25979"},{"reference_url":"https://github.com/apostrophecms/apostrophe","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/apostrophe"},{"reference_url":"https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-30T15:48:32Z/"}],"url":"https://github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25979","reference_id":"CVE-2021-25979","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25979"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59493?format=json","purl":"pkg:npm/apostrophe@3.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dsd6-hfud-ekfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@3.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/59494?format=json","purl":"pkg:npm/apostrophe@3.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@3.4.0"}],"aliases":["CVE-2021-25979","GHSA-9j9m-8wjc-ff96"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-82j4-a56g-3kbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41678?format=json","vulnerability_id":"VCID-dsd6-hfud-ekfs","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nApostrophe CMS versions between to are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25978","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42771","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42845","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25978"},{"reference_url":"https://github.com/apostrophecms/apostrophe","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apostrophecms/apostrophe"},{"reference_url":"https://github.com/apostrophecms/apostrophe/commit/c8b94ee9c79468f1ce28e31966cb0e0839165e59","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:48:54Z/"}],"url":"https://github.com/apostrophecms/apostrophe/commit/c8b94ee9c79468f1ce28e31966cb0e0839165e59"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25978","reference_id":"CVE-2021-25978","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25978"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59494?format=json","purl":"pkg:npm/apostrophe@3.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@3.4.0"}],"aliases":["CVE-2021-25978","GHSA-4r9c-jghc-cx5m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dsd6-hfud-ekfs"}],"fixing_vulnerabilities":[],"risk_score":"1.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apostrophe@2.96.2"}