taffydb @2.6.2
TaffyDB is an opensouce library that brings database features into your JavaScript applications.
Maintainers
Changes from v0.0.1
No metadata changes detected.
File Changes
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-mxhp-79qh-mcx6 |
osv | reject | AI | AI (osv): HIGH severity CVE-2019-10790 affects all versions <= 2.7.3 with no fix available. Package is unmaintained; this advisory generalizes to every published version. |
SAST Findings (3)
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N TaffyDB allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, TaffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB. **Note:** `taffy` and its successor package `taffydb` are not maintained.
This version was published by a different npm account than previous versions on 2016-09-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 78. Findings: 1 critical (+40), 1 high (+25), 1 medium (+10), 1 low (+3).
Commit: f8c22bc79a7a Browse source
Published to npm: