Using vulnerable dependencies in package.json in star7th/showdoc


Reported on

Mar 18th 2022


  1. Hello team, The Showdoc is using a axios 0.17.1 dependency that is vulnerable to:👇
1. CVE-2021-3749 Regular Expression Denial of Service (ReDoS)
2. CVE-2020-28168 Server-Side Request Forgery (SSRF)
3. CVE-2019-10742 Denial of Service (DoS)

Path to the file:


Patch recommendation:

  1. Update the axios 0.17.1 to axios 0.21.3
We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back a year ago
star7th validated this vulnerability a year ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in 2.10.4 with commit 39b82c a year ago
star7th has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
a year ago


Hi both 👋

The bounties have been zeroed out here, as our disclosure policy does not allow rewards for vulnerabilities in dependencies that are consumed as part of a library or repository. The vulnerability must be in the package/repository itself, i.e. in star7th/showdoc.

Let me know if you have any questions 👍

Akshay Ravi
a year ago



to join this conversation