grunt@1.0.2 vulnerabilities

The JavaScript Task Runner

  • latest version

    1.6.1

  • latest non vulnerable version

  • first published

    12 years ago

  • latest version published

    1 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the grunt package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Race Condition

    grunt is a JavaScript task runner.

    Affected versions of this package are vulnerable to Race Condition via the file.copy operations. Exploiting this vulnerability leads to arbitrary file writing when an attacker can create a symlink just after deletion of the destination symlink, but right before the symlink is being written.

    How to fix Race Condition?

    Upgrade grunt to version 1.5.3 or higher.

    <1.5.3
    • M
    Directory Traversal

    grunt is a JavaScript task runner.

    Affected versions of this package are vulnerable to Directory Traversal via creation of a symlink to a restricted file, if a local attacker has write access to the source directory of file.copy

    How to fix Directory Traversal?

    Upgrade grunt to version 1.5.0 or higher.

    <1.5.0
    • H
    Arbitrary Code Execution

    grunt is a JavaScript task runner.

    Affected versions of this package are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

    How to fix Arbitrary Code Execution?

    Upgrade grunt to version 1.3.0 or higher.

    <1.3.0