@evershop/evershop 2.1.1

Direct Vulnerabilities

Known vulnerabilities in the @evershop/evershop package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `GET /images` API endpoint. An attacker can cause the server to initiate arbitrary HTTP or HTTPS requests to internal or external networks by supplying crafted values to the `src` query parameter. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `@evershop/evershop`.	>=2.1.0
H Excessive Platform Resource Consumption within a Loop @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the `GET /images` API endpoint when processing SVG files using the `sharp` module. An unauthenticated attacker can cause unbounded resource consumption and disrupt system availability by submitting specially crafted SVG files that exploit the lack of limits on the height of the use-element shadow tree or the dimensions of pattern tiles. How to fix Excessive Platform Resource Consumption within a Loop? There is no fixed version for `@evershop/evershop`.	>=2.1.0
M Resource Injection @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Resource Injection via the use of `getOrdersBaseQuery()` in `Order.resolvers.js`. An attacker can access unauthorized order information by supplying crafted identifiers to the query. How to fix Resource Injection? There is no fixed version for `@evershop/evershop`.	*

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the GET /images API endpoint. An attacker can cause the server to initiate arbitrary HTTP or HTTPS requests to internal or external networks by supplying crafted values to the src query parameter.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for @evershop/evershop.

>=2.1.0

Excessive Platform Resource Consumption within a Loop

@evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable.

Affected versions of this package are vulnerable to Excessive Platform Resource Consumption within a Loop via the GET /images API endpoint when processing SVG files using the sharp module. An unauthenticated attacker can cause unbounded resource consumption and disrupt system availability by submitting specially crafted SVG files that exploit the lack of limits on the height of the use-element shadow tree or the dimensions of pattern tiles.

How to fix Excessive Platform Resource Consumption within a Loop?

There is no fixed version for @evershop/evershop.

>=2.1.0

Resource Injection

@evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable.

Affected versions of this package are vulnerable to Resource Injection via the use of getOrdersBaseQuery() in Order.resolvers.js. An attacker can access unauthorized order information by supplying crafted identifiers to the query.

How to fix Resource Injection?

There is no fixed version for @evershop/evershop.

@evershop/evershop@2.1.1

The React Ecommerce platform. Built with Typescript, React and Postgres. Open-source and free. Fast and customizable.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically