@weareinreach/app-0.100.0.tgz: 3 vulnerabilities (highest severity is: 9.1) #654
Description
Vulnerable Library - @weareinreach/app-0.100.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5cf90163b7575b50f97bc4456af97c96b694745a
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@weareinreach/app version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-68130 |  Critical |
9.1 | server-10.45.2.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59471 |  Medium |
5.9 | next-14.2.32.tgz | Transitive | N/A* | ❌ |
| CVE-2024-55565 | Medium |
4.3 | nanoid-3.3.7.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-68130
Vulnerable Library - server-10.45.2.tgz
Library home page: https://registry.npmjs.org/@trpc/server/-/server-10.45.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @weareinreach/app-0.100.0.tgz (Root Library)
- ❌ server-10.45.2.tgz (Vulnerable Library)
Found in HEAD commit: 5cf90163b7575b50f97bc4456af97c96b694745a
Found in base branches: dev, main
Vulnerability Details
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in "@trpc/server"'s "formDataToObject" function, which is used by the Next.js App Router adapter. An attacker can pollute "Object.prototype" by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using "experimental_caller" / "experimental_nextAppDirCaller". Versions 10.45.3 and 11.8.0 fix the issue.
Publish Date: 2025-12-16
URL: CVE-2025-68130
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-16
Fix Resolution: https://github.com/trpc/trpc.git - v11.8.0,https://github.com/trpc/trpc.git - v10.45.3
Step up your Open Source Security Game with Mend here
CVE-2025-59471
Vulnerable Library - next-14.2.32.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-14.2.32.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @weareinreach/app-0.100.0.tgz (Root Library)
- ❌ next-14.2.32.tgz (Vulnerable Library)
Found in HEAD commit: 5cf90163b7575b50f97bc4456af97c96b694745a
Found in base branches: dev, main
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: 2026-01-26
URL: CVE-2025-59471
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: 2026-01-26
Fix Resolution: next - 15.5.10,next - 16.1.5
Step up your Open Source Security Game with Mend here
CVE-2024-55565
Vulnerable Library - nanoid-3.3.7.tgz
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @weareinreach/app-0.100.0.tgz (Root Library)
- next-14.2.32.tgz
- postcss-8.4.31.tgz
- ❌ nanoid-3.3.7.tgz (Vulnerable Library)
- postcss-8.4.31.tgz
- next-14.2.32.tgz
Found in HEAD commit: 5cf90163b7575b50f97bc4456af97c96b694745a
Found in base branches: dev, main
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: 2024-12-09
URL: CVE-2024-55565
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-55565
Release Date: 2024-12-09
Fix Resolution: nanoid - 3.3.8,5.0.9,nanoid - 5.0.9,nanoid - 3.3.8,https://github.com/ai/nanoid.git - 3.3.8,https://github.com/ai/nanoid.git - 5.0.9
Step up your Open Source Security Game with Mend here