DataHub UI relies on libraries which contain upstream vulnerabilities which are not applicable to the way that DataHub UI uses those libraries.

• CVE-2024-39008 - robinweser fast-loops vulnerable to prototype pollution

Deep in the dependency chain, fast-loops is a dependency of inline-style-prefixer which only updates existing CSS and does not take in any user input.

• CVE-2024-37890 - ws affected by a DoS when handling a request with many HTTP headers

The code is not executed within Node.js and does not serve requests using websockets.

• CVE-2024-4067 - Regular Expression Denial of Service (ReDoS) in micromatch
• CVE-2024-4068 - Uncontrolled resource consumption in braces

Not open to any user input since Braces is a dependency of micromatch which is used only in graphql code generation and our jest testing framework.

• CVE-2023-26115 - word-wrap vulnerable to Regular Expression Denial of Service

Component not used outside of linting and code gen. It's a dependency of a dependency that is only used in linting and code gen, nothing user facing.

• CVE-2022-25883 - semver vulnerable to Regular Expression Denial of Service

Not used at runtime to parse semantic versions.

Impact

No impact to DataHub.

Patches

N/A

Workarounds

N/A

References