Using vulnerable dependencies in package.json in star7th/showdoc


Reported on

Mar 18th 2022


  1. Hello team, The Showdoc is using a axios 0.17.1 dependency that is vulnerable to:πŸ‘‡
1. CVE-2021-3749 Regular Expression Denial of Service (ReDoS)
2. CVE-2020-28168 Server-Side Request Forgery (SSRF)
3. CVE-2019-10742 Denial of Service (DoS)

Path to the file:


Patch recommendation:

  1. Update the axios 0.17.1 to axios 0.21.3
We are processing your report and will contact the star7th/showdoc team within 24 hours. 2 years ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back 2 years ago
star7th validated this vulnerability 2 years ago
akshayravic09yc47 has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in 2.10.4 with commit 39b82c 2 years ago
star7th has been awarded the fix bounty
Jamie Slome
2 years ago

Hi both πŸ‘‹

The bounties have been zeroed out here, as our disclosure policy does not allow rewards for vulnerabilities in dependencies that are consumed as part of a library or repository. The vulnerability must be in the package/repository itself, i.e. in star7th/showdoc.

Let me know if you have any questions πŸ‘

Akshay Ravi
2 years ago



to join this conversation