server-sdk-3.22.1.tgz: 2 vulnerabilities (highest severity is: 8.7) #1
Description
Vulnerable Library - server-sdk-3.22.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (server-sdk version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-7783 |  High |
8.7 | form-data-4.0.3.tgz | Transitive | 3.22.3 | ✅ |
| CVE-2025-65945 | High |
7.5 | jws-3.2.2.tgz | Transitive | 3.22.3 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-7783
Vulnerable Library - form-data-4.0.3.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- server-sdk-3.22.1.tgz (Root Library)
- @vonage/messages-1.20.1.tgz
- vetch-1.8.0.tgz
- node-fetch-2.6.11.tgz
- ❌ form-data-4.0.3.tgz (Vulnerable Library)
- node-fetch-2.6.11.tgz
- vetch-1.8.0.tgz
- @vonage/messages-1.20.1.tgz
Found in base branch: main
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution (form-data): 4.0.4
Direct dependency fix Resolution (@vonage/server-sdk): 3.22.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-65945
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- server-sdk-3.22.1.tgz (Root Library)
- auth-1.12.0.tgz
- jwt-1.11.0.tgz
- jsonwebtoken-9.0.2.tgz
- ❌ jws-3.2.2.tgz (Vulnerable Library)
- jsonwebtoken-9.0.2.tgz
- jwt-1.11.0.tgz
- auth-1.12.0.tgz
Found in base branch: main
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: 2025-12-04
URL: CVE-2025-65945
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: 2025-12-04
Fix Resolution (jws): 3.2.3
Direct dependency fix Resolution (@vonage/server-sdk): 3.22.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.