{"url":"http://public2.vulnerablecode.io/api/packages/54520?format=json","purl":"pkg:npm/keystone@4.0.0","type":"npm","namespace":"","name":"keystone","version":"4.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39080?format=json","vulnerability_id":"VCID-2yxf-3ebk-nbeu","summary":"Improper Input Validation\nCSV Injection via a value that is mishandled in a CSV export.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15879","reference_id":"","reference_type":"","scores":[{"value":"0.09815","scoring_system":"epss","scoring_elements":"0.93121","published_at":"2026-06-06T12:55:00Z"},{"value":"0.09815","scoring_system":"epss","scoring_elements":"0.93126","published_at":"2026-06-09T12:55:00Z"},{"value":"0.09815","scoring_system":"epss","scoring_elements":"0.93117","published_at":"2026-06-08T12:55:00Z"},{"value":"0.09815","scoring_system":"epss","scoring_elements":"0.93119","published_at":"2026-06-07T12:55:00Z"},{"value":"0.09815","scoring_system":"epss","scoring_elements":"0.93112","published_at":"2026-06-04T12:55:00Z"},{"value":"0.09815","scoring_system":"epss","scoring_elements":"0.93123","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15879"},{"reference_url":"https://github.com/advisories/GHSA-6494-v9fq-fgq2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6494-v9fq-fgq2"},{"reference_url":"https://github.com/keystonejs/keystone/pull/4478","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/pull/4478"},{"reference_url":"https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html"},{"reference_url":"https://www.exploit-db.com/exploits/43053","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/43053"},{"reference_url":"https://www.exploit-db.com/exploits/43053/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/43053/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43053.txt","reference_id":"CVE-2017-15879","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43053.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15879","reference_id":"CVE-2017-15879","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15879"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54521?format=json","purl":"pkg:npm/keystone@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ppy6-36tw-sqft"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.1.0"}],"aliases":["CVE-2017-15879","GHSA-6494-v9fq-fgq2"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2yxf-3ebk-nbeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39100?format=json","vulnerability_id":"VCID-m9p7-836k-pqfb","summary":"Cross-site Scripting\nCross-Site Scripting vulnerability in KeystoneJS allows remote authenticated administrators to inject arbitrary web script or HTML via the `content brief` or `content extended` field.","references":[{"reference_url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report"},{"reference_url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/","reference_id":"","reference_type":"","scores":[],"url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15881","reference_id":"","reference_type":"","scores":[{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64737","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64778","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64766","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64785","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64777","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64788","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15881"},{"reference_url":"https://github.com/advisories/GHSA-7cv6-gvx3-m54m","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cv6-gvx3-m54m"},{"reference_url":"https://github.com/keystonejs/keystone/issues/4437","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/issues/4437"},{"reference_url":"https://github.com/keystonejs/keystone/pull/4478","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/pull/4478"},{"reference_url":"https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf"},{"reference_url":"https://www.npmjs.com/advisories/981","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/981"},{"reference_url":"http://www.securityfocus.com/bid/101541","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/101541"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15881","reference_id":"CVE-2017-15881","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15881"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54521?format=json","purl":"pkg:npm/keystone@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ppy6-36tw-sqft"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.1.0"}],"aliases":["CVE-2017-15881","GHSA-7cv6-gvx3-m54m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m9p7-836k-pqfb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45844?format=json","vulnerability_id":"VCID-ppy6-36tw-sqft","summary":"Missing Authorization\nKeystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40027","reference_id":"","reference_type":"","scores":[{"value":"0.00321","scoring_system":"epss","scoring_elements":"0.55402","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00321","scoring_system":"epss","scoring_elements":"0.55421","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00321","scoring_system":"epss","scoring_elements":"0.55432","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00321","scoring_system":"epss","scoring_elements":"0.55427","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40027"},{"reference_url":"https://github.com/keystonejs/keystone","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone"},{"reference_url":"https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/"}],"url":"https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284"},{"reference_url":"https://github.com/keystonejs/keystone/pull/8771","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/"}],"url":"https://github.com/keystonejs/keystone/pull/8771"},{"reference_url":"https://github.com/keystonejs/keystone/releases/tag/2023-08-15","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/releases/tag/2023-08-15"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40027","reference_id":"CVE-2023-40027","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40027"},{"reference_url":"https://github.com/advisories/GHSA-9cvc-v7wm-992c","reference_id":"GHSA-9cvc-v7wm-992c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9cvc-v7wm-992c"},{"reference_url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c","reference_id":"GHSA-9cvc-v7wm-992c","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/"}],"url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66564?format=json","purl":"pkg:npm/keystone@5.5.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@5.5.1"}],"aliases":["CVE-2023-40027","GHSA-9cvc-v7wm-992c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ppy6-36tw-sqft"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/107825?format=json","vulnerability_id":"VCID-4wnq-s17b-j7fq","summary":"Cross-Site Scripting in keystone\nWithdrawn: Duplicate of GHSA-7qcx-jmrc-h2rr","references":[{"reference_url":"https://github.com/keystonejs/keystone/commit/8ecb80960ffd2ae2f241b0bbb62367821a79ff63","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/commit/8ecb80960ffd2ae2f241b0bbb62367821a79ff63"},{"reference_url":"https://github.com/keystonejs/keystone/pull/4478","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/pull/4478"},{"reference_url":"https://www.npmjs.com/advisories/980","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/980"},{"reference_url":"https://github.com/advisories/GHSA-h29r-4vqp-8jxf","reference_id":"GHSA-h29r-4vqp-8jxf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h29r-4vqp-8jxf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54520?format=json","purl":"pkg:npm/keystone@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yxf-3ebk-nbeu"},{"vulnerability":"VCID-m9p7-836k-pqfb"},{"vulnerability":"VCID-ppy6-36tw-sqft"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0"}],"aliases":["GHSA-h29r-4vqp-8jxf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4wnq-s17b-j7fq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/108846?format=json","vulnerability_id":"VCID-k428-up64-47d9","summary":"Field-level access-control bypass for multiselect field\n#### Impact\n\n`@keystone-6/core@2.2.0 || 2.3.0` users who are using the `multiselect` field, and provided field-level access control - are vulnerable to their field-level access control not being used.\n\nList-level access control is **NOT** affected.\n\nField-level access control for fields other than `multiselect` are **NOT** affected.\n\nExample, **you are vulnerable if** you are using field-level access control on a `multiselect` like the following:\n```ts\nconst yourList = list({\n  access: {\n    // this is list-level access control, this is NOT impacted\n  },\n  fields: {\n    yourFieldName: multiselect({\n      // this is field-level access control, for multiselect fields\n      //   this is vulnerable\n      access: {\n        create: ({ session }) => session?.data.isAdmin,\n        update: ({ session }) => session?.data.isAdmin,\n      },\n      options: [\n        { value: 'apples', label: 'Apples' },\n        { value: 'oranges', label: 'Oranges' },\n      ],\n      // ...\n    }),\n    // ...\n  },\n  // ...\n});\n```\n\n#### Mitigation\nPlease upgrade to `@keystone-6/core >= 2.3.1`, where this vulnerability has been closed.\n\n#### Workarounds\nIf for some reason you cannot upgrade your dependencies, you should stop using the `multiselect` field.\n\n#### Credits\nThanks to [Marek R](https://github.com/marekryb) for reporting and submitting the pull request to fix this problem.\n\nIf you have any questions around this security advisory, please don't hesitate to contact us at [security@keystonejs.com](mailto:security@keystonejs.com), or [open an issue on GitHub](https://github.com/keystonejs/keystone/issues/new/choose).\n\nIf you have a security flaw to report for any software in this repository, please see our [SECURITY policy](https://github.com/keystonejs/keystone/blob/main/SECURITY.md).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39322","reference_id":"","reference_type":"","scores":[{"value":"0.00975","scoring_system":"epss","scoring_elements":"0.77047","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00975","scoring_system":"epss","scoring_elements":"0.77027","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00975","scoring_system":"epss","scoring_elements":"0.77059","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00975","scoring_system":"epss","scoring_elements":"0.77068","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00975","scoring_system":"epss","scoring_elements":"0.77056","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39322"},{"reference_url":"https://github.com/keystonejs/keystone","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone"},{"reference_url":"https://github.com/keystonejs/keystone/commit/65c6ee3deef23605fc72b80230908696a7a65e7c","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:36:41Z/"}],"url":"https://github.com/keystonejs/keystone/commit/65c6ee3deef23605fc72b80230908696a7a65e7c"},{"reference_url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-6mhr-52mv-6v6f","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:36:41Z/"}],"url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-6mhr-52mv-6v6f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39322","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39322"},{"reference_url":"https://github.com/advisories/GHSA-6mhr-52mv-6v6f","reference_id":"GHSA-6mhr-52mv-6v6f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6mhr-52mv-6v6f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54520?format=json","purl":"pkg:npm/keystone@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yxf-3ebk-nbeu"},{"vulnerability":"VCID-m9p7-836k-pqfb"},{"vulnerability":"VCID-ppy6-36tw-sqft"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0"}],"aliases":["CVE-2022-39322","GHSA-6mhr-52mv-6v6f","GMS-2022-5484"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k428-up64-47d9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39090?format=json","vulnerability_id":"VCID-ndu1-2s48-pucm","summary":"Cross-site Scripting\nPossible Cross-site scripting via the \"Contact Us feature\".","references":[{"reference_url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report"},{"reference_url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/","reference_id":"","reference_type":"","scores":[],"url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15878","reference_id":"","reference_type":"","scores":[{"value":"0.03604","scoring_system":"epss","scoring_elements":"0.88011","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03604","scoring_system":"epss","scoring_elements":"0.88009","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03604","scoring_system":"epss","scoring_elements":"0.8801","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03604","scoring_system":"epss","scoring_elements":"0.88006","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03604","scoring_system":"epss","scoring_elements":"0.87985","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03604","scoring_system":"epss","scoring_elements":"0.88024","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15878"},{"reference_url":"https://github.com/advisories/GHSA-7qcx-jmrc-h2rr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7qcx-jmrc-h2rr"},{"reference_url":"https://github.com/keystonejs/keystone","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone"},{"reference_url":"https://github.com/keystonejs/keystone/pull/4478","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/pull/4478"},{"reference_url":"https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html"},{"reference_url":"https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf"},{"reference_url":"https://www.exploit-db.com/exploits/43054","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/43054"},{"reference_url":"https://www.exploit-db.com/exploits/43054/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/43054/"},{"reference_url":"https://www.npmjs.com/advisories/980","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/980"},{"reference_url":"http://www.securityfocus.com/bid/101541","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/101541"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43054.txt","reference_id":"CVE-2017-15878","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43054.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15878","reference_id":"CVE-2017-15878","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15878"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54520?format=json","purl":"pkg:npm/keystone@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yxf-3ebk-nbeu"},{"vulnerability":"VCID-m9p7-836k-pqfb"},{"vulnerability":"VCID-ppy6-36tw-sqft"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0"}],"aliases":["CVE-2017-15878","GHSA-7qcx-jmrc-h2rr"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ndu1-2s48-pucm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110253?format=json","vulnerability_id":"VCID-r13j-pm6j-8ubf","summary":"@keystone-6/core's NODE_ENV defaults to development with esbuild\n### Impact\n`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` in their own code (**not dependencies**) to trigger security-sensitive functionality in a production build are vulnerable to `NODE_ENV` being inlined to `\"development\"` for user code.\n\nIf your dependencies use `NODE_ENV` to trigger particular behaviours (optimisations, security or otherwise), they should still respect your environment's configured `NODE_ENV` variable and thereby be unaffected.\n\nIf you do not use `NODE_ENV` in your own code to trigger security-sensitive functionality, **you are not impacted** by this vulnerability.\nAn example of code that would be affected, might be the following:\n\n```typescript\nif (process.env.NODE_ENV !== 'production') {\n  // this code would unintentionally run in your production builds\n}\n```\n\n### Technical Description\nThe problem comes from esbuild defaulting `NODE_ENV` to `\"development\"` when a platform configuration is undefined.\nYou can read about why [`esbuild` has that behaviour in their documentation](https://esbuild.github.io/api/#platform), but the result for Keystone users is that user Typescript was compiled, and had inlined `NODE_ENV` to the constant `\"development\"`. \n\nYour application's dependencies, as found in `node_modules` (including `@keystone-6/core`), are typically not compiled as part of this process, and thus should be unaffected. Therefore any libraries that used `NODE_ENV` to trigger particular behaviours (optimisations, security or otherwise) should still respect your environment's `NODE_ENV`.\nWe have tested this assumption by verifying that `NODE_ENV=production yarn keystone start` still uses secure cookies when using `statelessSessions`.\n\nThereby, the severity of this vulnerability is dependent on what functionality users conditionally triggered, in their own code, depending on the expectation that `NODE_ENV` would be correctly configured in their application. In accordance with Common Vulnerability Scoring System `2.3.3. Assume Vulnerable Configurations`, this security advisory assumes vulnerable configurations and is thus marked as *critical*, but you should evaluate the true security impact for your application to determine a relevant score.\n\n### Patches\nThis vulnerability has been fixed in `@keystone-6/core@3.0.2`, thanks to @mmachatschek in https://github.com/keystonejs/keystone/pull/8031/.\nWe have added regression tests for this vulnerability in https://github.com/keystonejs/keystone/pull/8063.\n\n### Workarounds\nIf you cannot upgrade your `@keystone-6/core` version for any reason, your best alternative is to remove any code that uses `NODE_ENV` in a way that may reasonably impact your application security. \n\n### References\n- https://esbuild.github.io/api/#platform\n- https://github.com/keystonejs/keystone/pull/8031\n- https://github.com/keystonejs/keystone/pull/8063\n\n### For more information\nThanks to [Austin Burdine](https://github.com/acburdine) for reporting this problem as a potential security vulnerability.\n\nIf you have any questions around this security advisory, please don't hesitate to contact us at [security@keystonejs.com](mailto:security@keystonejs.com), or [open an issue on GitHub](https://github.com/keystonejs/keystone/issues/new/choose).\n\nIf you have a security flaw to report for any software in this repository, please see our [SECURITY policy](https://github.com/keystonejs/keystone/blob/main/SECURITY.md).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39382","reference_id":"","reference_type":"","scores":[{"value":"0.02127","scoring_system":"epss","scoring_elements":"0.84477","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02127","scoring_system":"epss","scoring_elements":"0.845","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02127","scoring_system":"epss","scoring_elements":"0.84487","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02127","scoring_system":"epss","scoring_elements":"0.84499","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02127","scoring_system":"epss","scoring_elements":"0.84506","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02127","scoring_system":"epss","scoring_elements":"0.84502","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39382"},{"reference_url":"https://github.com/keystonejs/keystone","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone"},{"reference_url":"https://github.com/keystonejs/keystone/pull/8031","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/pull/8031"},{"reference_url":"https://github.com/keystonejs/keystone/pull/8031/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:36:33Z/"}],"url":"https://github.com/keystonejs/keystone/pull/8031/"},{"reference_url":"https://github.com/keystonejs/keystone/pull/8063","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:36:33Z/"}],"url":"https://github.com/keystonejs/keystone/pull/8063"},{"reference_url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:36:33Z/"}],"url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39382","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39382"},{"reference_url":"https://github.com/advisories/GHSA-25mx-2mxm-6343","reference_id":"GHSA-25mx-2mxm-6343","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-25mx-2mxm-6343"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54520?format=json","purl":"pkg:npm/keystone@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yxf-3ebk-nbeu"},{"vulnerability":"VCID-m9p7-836k-pqfb"},{"vulnerability":"VCID-ppy6-36tw-sqft"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0"}],"aliases":["CVE-2022-39382","GHSA-25mx-2mxm-6343"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r13j-pm6j-8ubf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39123?format=json","vulnerability_id":"VCID-sw46-5p81-kqhv","summary":"Cross-Site Request Forgery (CSRF)\nKeystoneJS allows application-wide CSRF bypass by removing the CSRF parameter and value.","references":[{"reference_url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report"},{"reference_url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/","reference_id":"","reference_type":"","scores":[],"url":"http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16570","reference_id":"","reference_type":"","scores":[{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.41778","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.4177","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.41805","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.41834","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.41824","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00198","scoring_system":"epss","scoring_elements":"0.41748","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16570"},{"reference_url":"https://github.com/advisories/GHSA-q43c-g2g7-6gxj","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q43c-g2g7-6gxj"},{"reference_url":"https://github.com/keystonejs/keystone/issues/4437","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/issues/4437"},{"reference_url":"https://github.com/keystonejs/keystone/pull/4478","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/pull/4478"},{"reference_url":"https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663"},{"reference_url":"https://www.exploit-db.com/exploits/43922","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/43922"},{"reference_url":"https://www.exploit-db.com/exploits/43922/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/43922/"},{"reference_url":"https://www.npmjs.com/advisories/979","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/979"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43922.html","reference_id":"CVE-2017-16570","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43922.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16570","reference_id":"CVE-2017-16570","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16570"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/120852?format=json","purl":"pkg:npm/keystone@4.0.0-beta.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yxf-3ebk-nbeu"},{"vulnerability":"VCID-m9p7-836k-pqfb"},{"vulnerability":"VCID-ndu1-2s48-pucm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-sw46-5p81-kqhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0-beta.7"},{"url":"http://public2.vulnerablecode.io/api/packages/54520?format=json","purl":"pkg:npm/keystone@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yxf-3ebk-nbeu"},{"vulnerability":"VCID-m9p7-836k-pqfb"},{"vulnerability":"VCID-ppy6-36tw-sqft"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0"}],"aliases":["CVE-2017-16570","GHSA-q43c-g2g7-6gxj"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sw46-5p81-kqhv"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0"}