add jsonpath plus lib

[muldos]

No description provided.

[github-actions]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	Applicable	lodash:4.17.1	lodash 4.17.1	[4.17.12]	CVE-2019-10744
Critical	Applicable	ejs:3.1.6	ejs 3.1.6	-	CVE-2023-29827
Critical	Applicable	ejs:3.1.6	ejs 3.1.6	[3.1.7]	CVE-2022-29078
Critical	Not Covered	jsonpath-plus:10.0.0	jsonpath-plus 10.0.0	[10.0.7]	CVE-2024-21534
High	Not Covered	express:4.18.2	path-to-regexp 0.1.7	[0.1.10] [1.9.0] [3.3.0] [6.3.0] [8.0.0]	CVE-2024-45296
Medium	Applicable	lodash:4.17.1	lodash 4.17.1	[4.17.11]	CVE-2018-16487
Medium	Not Covered	lodash:4.17.1	lodash 4.17.1	[4.17.11]	CVE-2019-1010266
Medium	Not Covered	lodash:4.17.1	lodash 4.17.1	[4.17.5]	CVE-2018-3721
Medium	Not Covered	express:4.18.2	serve-static 1.15.0	[1.16.0] [2.1.0]	CVE-2024-43800
Medium	Not Covered	express:4.18.2	send 0.18.0	[0.19.0]	CVE-2024-43799
Medium	Not Covered	express:4.18.2	express 4.18.2	[4.20.0] [5.0.0]	CVE-2024-43796
Medium	Not Covered	express:4.18.2	express 4.18.2	[4.19.2] [5.0.0-beta.3]	CVE-2024-29041
Low	Not Covered	express:4.18.2	cookie 0.5.0	[0.7.0]	CVE-2024-47764
Unknown	Not Covered	ejs:3.1.6	async 3.2.5	-	CVE-2024-39249
High	Not Applicable	express:4.18.2	body-parser 1.20.1	[1.20.3]	CVE-2024-45590
High	Not Applicable	lodash:4.17.1	lodash 4.17.1	[4.17.21]	CVE-2021-23337
High	Not Applicable	lodash:4.17.1	lodash 4.17.1	[4.17.19]	CVE-2020-8203
Medium	Not Applicable	ejs:3.1.6	ejs 3.1.6	[3.1.10]	CVE-2024-33883
Medium	Not Applicable	lodash:4.17.1	lodash 4.17.1	[4.17.21]	CVE-2020-28500

🔬 Research Details

[ CVE-2019-10744 ] lodash 4.17.1

Description:
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

The function defaultsDeep was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input

Example of code vulnerable to this issue -

const lodash = require('lodash'); 
const evilsrc = {constructor: {prototype: {evilkey: "evilvalue"}}};
lodash.defaultsDeep({}, evilsrc)

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

[ CVE-2023-29827 ] ejs 3.1.6

Description:
Embedded JavaScript templates, also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.

When rendering views using EJS, it is possible to bypass ejs' template injection restrictions, by abusing the closeDelimiter rendering option, in the case when -

1. The template itself can be partially controlled by the attacker
2. The template rendering options can be fully controlled by the attacker

The vulnerability was rightfully disputed due to the fact that a vulnerable configuration is extremely unlikely to exist in any real-world setup. As such, the maintainers will not provide a fix for this (non-)issue.

Example of a vulnerable application -

const express = require('express')
const app = express()
const port = 3000

app.set('view engine', 'ejs');

app.get('/page', (req,res) => {
    res.render('page', req.query); // OPTS (2nd parameter) IS ATTACKER-CONTROLLED
})

app.listen(port, () => {
  console.log("Example app listening on port ${port}")
})

Contents of page.ejs (very unlikely to be attacker controlled) -

%%1");process.mainModule.require('child_process').execSync('calc');//

In this case, sending closeDelimiter with the same malicious code that already exists at page.ejs will trigger the injection -
http://127.0.0.1:3000/page?settings[view%20options][closeDelimiter]=1")%3bprocess.mainModule.require('child_process').execSync('calc')%3b//

[ CVE-2022-29078 ] ejs 3.1.6

Description:
Embedded JavaScript templates, also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.

When rendering views using EJS, it is possible to perform template injection on the opts.outputFunctionName variable, since the variable is injected into the template body without any escaping. Although it is unlikely that the attacker can directly control the outputFunctionName property, it is possible that it can be influenced in conjunction with a prototype pollution vulnerability.

Once template injection is achieved, the attacker can immediately perform remote code execution since the template engine (EJS) allows executing arbitrary JavaScript code.

Example of a vulnerable Node.js application -

const express = require('express');
const bodyParser = require('body-parser');
const lodash = require('lodash');
const ejs = require('ejs');

const app = express();

app
    .use(bodyParser.urlencoded({extended: true}))
    .use(bodyParser.json());

app.set('views', './');
app.set('view engine', 'ejs');

app.get("/", (req, res) => {
    res.render('index');
});

app.post("/", (req, res) => {
    let data = {};
    let input = JSON.parse(req.body.content);
    lodash.defaultsDeep(data, input);
    res.json({message: "OK"});
});

let server = app.listen(8086, '0.0.0.0', function() {
    console.log('Listening on port %d', server.address().port);
});

Exploiting the above example for RCE -
curl 127.0.0.1:8086 -v --data 'content={"constructor": {"prototype": {"outputFunctionName": "a; return global.process.mainModule.constructor._load(\"child_process\").execSync(\"whoami\"); //"}}}'

Due to the prototype pollution in the lodash.defaultsDeep call, an attacker can inject the outputFunctionName property with an arbitrary value. The chosen value executes an arbitrary process via the child_process module.

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

Note that this mitigation is supposed to stop any prototype pollution attacks which can allow an attacker to control the opts.outputFunctionName parameter indirectly.

The mitigation will not stop any (extremely unlikely) scenarios where the JavaScript code allows external input to directly affect opts.outputFunctionName.

[ CVE-2024-21534 ] jsonpath-plus 10.0.0

Description:
Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.

Note:

There was an attempt to fix it in version 10.0.0 but it could still be exploited using different payloads.

[ CVE-2024-45296 ] path-to-regexp 0.1.7

Description:
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Remediation:

Development mitigations

This vulnerability can be mitigated by manually defining the parameter's regular expression when two or more parameters exist in a single segment. For example, /flights/:from-:to(\\w+) instead of /flights/:from-:to.

[ CVE-2018-16487 ] lodash 4.17.1

Description:
The Lodash library is an open-source JavaScript project that simplifies operations on string, arrays, numbers, and other objects. It is widely used in connected devices.

The merge, mergeWith, and defaultsDeep methods in Lodash are vulnerable to prototype pollution. Attackers can exploit this vulnerability by specifying a crafted sources parameter to any of these methods, which can modify the prototype properties of the Object, Function, Array, String, Number, and Boolean objects. A public exploit exists which performs the prototype pollution with an arbitrary key and value.

The library implementation has a bug in the safeGet() function in the lodash.js module that allows for adding or modifying prototype properties of various objects. The official solution fixes the bug by explicitly forbidding the addition or modification of prototype properties.

A related CVE (CVE-2018-3721) covers the same issue prior to Lodash version 4.17.5, but the fix for that was incomplete.

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

[ CVE-2019-1010266 ] lodash 4.17.1

Description:
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

[ CVE-2018-3721 ] lodash 4.17.1

Description:
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

[ CVE-2024-43800 ] serve-static 1.15.0

Description:
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

[ CVE-2024-43799 ] send 0.18.0

Description:
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

[ CVE-2024-43796 ] express 4.18.2

Description:
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

[ CVE-2024-29041 ] express 4.18.2

Description:
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

[ CVE-2024-47764 ] cookie 0.5.0

Description:
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.

[ CVE-2024-39249 ] async 3.2.5

Description:
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.

[ CVE-2024-45590 ] body-parser 1.20.1

Description:
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Remediation:

Development mitigations

The vulnerability can be mitigated by specifying extended = false when initializing the URL-encoded parser.

[ CVE-2021-23337 ] lodash 4.17.1

Description:
JavaScript-based applications (both frontend and backend) that use the template function -_.template([string=''], [options={}]) from the lodash utility library and provide the options argument (specifically the variable option) from untrusted user input, are vulnerable to JavaScript code injection. This issue can be easily exploited, and an exploitation example is publicly available in the fix tests that was introduced in version 4.17.21 -

lodash.template('', { variable: '){console.log(process.env)}; with(obj' })()

[ CVE-2020-8203 ] lodash 4.17.1

Description:
lodash is a JavaScript library which provides utility functions for common programming tasks.

JavaScript frontend and Node.js-based backend applications that merge or zip objects using the lodash functions mergeWith, merge and zipObjectDeep are vulnerable to prototype pollution if one or more of the objects it receives as arguments are obtained from user input.
An attacker controlling this input given to the vulnerable functions can inject properties to JavaScript special objects such as Object.prototype from which all JavaScript objects inherit properties and methods. Any change on Object.prototype properties will then propagate through the prototype chain inheritance to all of the objects in a JavaScript application. This in turn would allow an attacker to add new properties or modify existing properties which will have application specific implications that could lead to DoS (denial of service), authentication bypass, privilege escalation and even RCE (remote code execution) in some cases.
As an example for privilege escalation, consider a JavaScript application that has a user object which has a Boolean property of user.isAdmin which is used to decide which actions the user may take. If an attacker can modify or add the isAdmin property through prototype pollution, it can escalate the privileges of its own user to those of an admin.
As exploitation is usually application specific, successful exploitation is much more likely if an attacker have access to the JavaScript application code. As such, frontend applications are more vulnerable to this vulnerability than Node.js backend applications.

Remediation:

Deployment mitigations

As general guidelines against prototype pollution, first consider not merging objects originating from user input or using a Map structure instead of an object. If merging objects is needed, look into creating objects without a prototype with Object.create(null) or into freezing Object.prototype with Object.freeze(). Finally, it is always best to perform input validation with a a JSON schema validator, which could mitigate this issue entirely in many cases.

[ CVE-2024-33883 ] ejs 3.1.6

Description:
Embedded JavaScript templates, also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.

A prototype pollution gadget within the EJS template engine could potentially be leveraged by attackers to achieve remote code execution or DoS via prototype pollution.

function Template(text, opts) {
  opts = opts || utils.createNullProtoObjWherePossible();

When checking for the presence of a property within an object variable, the lookup scope isn't explicitly defined. In JavaScript, the absence of a defined lookup scope prompts a search up to the root prototype (Object.prototype). This could potentially be under the control of an attacker if another prototype pollution vulnerability is present within the application.

If the application server is using the EJS as the backend template engine, and there is another prototype pollution vulnerability in the application, then the attacker could leverage the found gadgets in the EJS template engine to escalate the prototype pollution to remote code execution or DoS.

The following code will execute a command on the server by polluting opts.escapeFunction:

const express = require('express');
const app = express();
const port = 8008;
const ejs = require('ejs');

// Set EJS as the view engine
app.set('view engine', 'ejs');

app.get('/', (req, res) => {
    
    const data = {title: 'Welcome', message: 'Hello'};

    // Sample EJS template string
    const templateString = `<html><head><title><%= title %></title></head><body><h1><%= message %></h1></body></html>`;

    const { exec } = require('child_process');

    function myFunc() {
        exec('bash -c "echo 123"', (error, stdout, stderr) => {
            if (error) {
                console.error(`exec error: ${error}`);
                return;
            }
            if (stderr){
                console.log(`stderr : ${stderr}`);
                return;
            }
            // Handle success
            console.log(`Command executed successfully. Output: ${stdout}`);
        });
    }

    const options = {client:false};

    Object.prototype.escapeFunction = myFunc;
    
    const compiledTemplate = ejs.compile(templateString, options);
    const renderedHtml = compiledTemplate(data);
    res.send(renderedHtml);
});

// Start the server
app.listen(port, () => {
    console.log(`Server is running on http://localhost:${port}`);
});

[ CVE-2020-28500 ] lodash 4.17.1

Description:
JavaScript-based applications that use lodash and specifically the _.toNumber, _.trim and _.trimEnd functions, could be vulnerable to DoS (Denial of Service) through a faulty regular expression that introduces a ReDoS (Regular Expression DoS) vulnerability. This vulnerability is only triggered if untrusted user input flows into these vulnerable functions and the attacker can supply arbitrary long strings (over 50kB) that contain whitespaces.

On a modern Core i7-based system, calling the vulnerable functions with a 50kB string could take between 2 to 3 seconds to execute and 4.5 minutes for a longer 500kB string. The fix improved the regular expression performance so it took only a few milliseconds on the same Core i7-based system. This vulnerability is easily exploitable as all is required is to build a string that triggers it as can be seen in this PoC reproducing code -

var untrusted_user_input_50k = "a" + ' '.repeat(50000) + "z"; // assume this is provided over the network
lo.trimEnd(untrusted_user_input_50k); // should take a few seconds to run
var untrusted_user_input_500k = "a" + ' '.repeat(500000) + "z"; // assume this is provided over the network
lo.trimEnd(untrusted_user_input_500k); // should take a few minutes to run

Remediation:

Deployment mitigations

Trim untrusted strings based on size before providing it to the vulnerable functions by using the substring function to with a fixed maximum size like so - js untrusted_user_input.substring(0, max_string_size_less_than_50kB);

---

🐸 JFrog Frogbot

[github-actions]

lodash.defaultsDeep(data, input)

at server.js (line 31)

📦🔍 Contextual Analysis CVE Vulnerability

Severity	Impacted Dependency	Finding	CVE
Critical	lodash:4.17.1	The vulnerable function defaultsDeep is called with external input	CVE-2019-10744

Description

The scanner checks whether the vulnerable function defaultsDeep is called with external input to its 2nd (sources) argument, and the Object.freeze() remediation is not present.

CVE details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Remediation

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

---

🐸 JFrog Frogbot

[github-actions]

app.set('view engine', 'ejs')

at server.js (line 14)

📦🔍 Contextual Analysis CVE Vulnerability

Severity	Impacted Dependency	Finding	CVE
Critical	ejs:3.1.6	The vulnerable functionality is triggered since express.set is called with 'view engine' as the first argument and 'ejs' as the second argument or both arguments with external input	CVE-2023-29827

Description

The scanner checks whether any of the following conditions are met:

1. The ejs.renderFile function is called with an unknown third argument.

2. The ejs.compile function is called with an unknown second argument.

3. The express.set function is called with any of the following arguments:

• express.set("view engine", "ejs")
• express.set("view engine", {USER_INPUT})
• express.set({USER_INPUT}, "ejs")
• express.set({USER_INPUT}, {USER_INPUT})

CVE details

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.

---

🐸 JFrog Frogbot

[github-actions]

app.set('view engine', 'ejs')

at server.js (line 14)

📦🔍 Contextual Analysis CVE Vulnerability

Severity	Impacted Dependency	Finding	CVE
Critical	ejs:3.1.6	The vulnerable functionality is triggered since express.set is called with 'view engine' as the first argument and 'ejs' as the second argument or both arguments with external input	CVE-2022-29078

Description

The scanner checks for two vulnerable flows:

1. Whether the express.set function is called with the arguments: view engine and ejs, or external input and if it's followed by a call to the vulnerable function render with an unknown second argument.

2. Whether the renderFile function is called with an unknown second argument.

The scanner also checks whether the Object.freeze() remediation is not present.

CVE details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Remediation

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

Note that this mitigation is supposed to stop any prototype pollution attacks which can allow an attacker to control the opts.outputFunctionName parameter indirectly.

The mitigation will not stop any (extremely unlikely) scenarios where the JavaScript code allows external input to directly affect opts.outputFunctionName.

---

🐸 JFrog Frogbot

[github-actions]

lodash.defaultsDeep(data, input)

at server.js (line 31)

📦🔍 Contextual Analysis CVE Vulnerability

Severity	Impacted Dependency	Finding	CVE
Medium	lodash:4.17.1	The vulnerable function merge/mergeWith/defaultsDeep is called with external input	CVE-2018-16487

Description

The scanner checks whether any of the following vulnerable functions are called:

• lodash.merge with external input to its 2nd (sources) argument.
• lodash.mergeWith with external input to its 2nd (sources) argument.
• lodash.defaultsDeep with external input to its 2nd (sources) argument.

The scanner also checks whether the Object.freeze() remediation is not present.

CVE details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Remediation

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

---

🐸 JFrog Frogbot

[github-actions]

req.query

at server.js (line 25)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
High	Untrusted input is used as a response template

Full description

Overview

Template Object Injection (TOI) is a vulnerability that can occur in
web applications that use template engines to render dynamic content.
Template engines are commonly used to generate HTML pages, emails, or
other types of documents that include variable data. TOI happens when
untrusted user input is included as part of the template rendering
process, and the template engine evaluates the input as a code
expression, leading to potential code injection or data tampering
attacks. To prevent TOI vulnerabilities, it's important to sanitize and
validate all user input that is used as part of the template rendering
process.

Query operation

In this query we look for user inputs that flow directly to a
request render.

Vulnerable example

var app = require('express')();
app.set('view engine', 'hbs');

app.use(require('body-parser').json());
app.use(require('body-parser').urlencoded({ extended: false }));
app.post('/path', function(req, res) {
    var bodyParameter = req.body.bodyParameter;
    var queryParameter = req.query.queryParameter;
    res.render('template', bodyParameter);
});

In this example, a user-provided data is injected directly into the
render command, leading to potential code injection or data
tampering attacks.

Remediation

+   const sanitizeHtml = require('sanitize-html');
var app = require('express')();
app.set('view engine', 'hbs');
app.use(require('body-parser').json());
app.use(require('body-parser').urlencoded({ extended: false }));
app.post('/path', function(req, res) {
    var bodyParameter = req.body.bodyParameter;
    var queryParameter = req.query.queryParameter;

-       res.render('template', bodyParameter);
+       res.render('template', sanitizeHtml(bodyParameter));
});
Using `sanitize-html`, the user-provided data is sanitized, before
rendering to the response.

Code Flows

Vulnerable data flow analysis result

↘️ req (at server.js line 21)

↘️ req (at server.js line 25)

↘️ req.query (at server.js line 25)

---

🐸 JFrog Frogbot

[github-actions]

express()

at server.js (line 8)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Express application lacks security middleware

Full description

Overview

Helmet library should be used when using Express in order to properly configure
HTTP header settings to mitigate a range of well-known vulnerabilities.

Remediation

const helmet = require("helmet");
const app = express()

app.use(helmet())

References

Best practices for Express

---

🐸 JFrog Frogbot

[github-actions]

Math.random()

at public/js/bootstrap.js (line 136)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Using a non-cryptographically secure random number generator function

Full description

Overview

A use of insecure random vulnerability is a type of security flaw that is
caused by the use of inadequate or predictable random numbers in a program
or system. Random numbers are used in many security-related applications,
such as generating cryptographic keys and if the numbers are not truly
random, an attacker may be able to predict or recreate them, potentially
compromising the security of the system.

Vulnerable example

var randomNum = Math.random();

Math.random is not secured, as it creates predictable random numbers.

Remediation

var randomNum = crypto.randomInt(0, 100)

crypto.randomInt is secured, and creates much less predictable random
numbers.

---

🐸 JFrog Frogbot

[github-actions]

Math.random()

at public/js/bootstrap.bundle.js (line 135)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Using a non-cryptographically secure random number generator function

Full description

Overview

A use of insecure random vulnerability is a type of security flaw that is
caused by the use of inadequate or predictable random numbers in a program
or system. Random numbers are used in many security-related applications,
such as generating cryptographic keys and if the numbers are not truly
random, an attacker may be able to predict or recreate them, potentially
compromising the security of the system.

Vulnerable example

var randomNum = Math.random();

Math.random is not secured, as it creates predictable random numbers.

Remediation

var randomNum = crypto.randomInt(0, 100)

crypto.randomInt is secured, and creates much less predictable random
numbers.

---

🐸 JFrog Frogbot