Seeded demo

acme-platform

seeded demo data

Export SBOM

3 Affected Package Versions 13 advisories matched exact versions

2 Critical / High Packages 0 critical · 2 high

1 Direct Affected Packages Closest fixes to prioritize first

0 Need Exact Version 9 total package versions scanned

9 Total Package Versions 3 affected, 0 need exact versions

2 Deepest Vulnerability Path dependency levels from the repository root

2 Transitive Affected Packages 1 direct affected packages

0 Repeated Finding Occurrences seen across 1 dependency files

Vulnerability Monitor

3 vulnerable package versions · 13 unique advisories · 1 vulnerable direct dependencies

CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 UNKNOWN 0

Findings are matched against OSV.dev using package ecosystem, package name, and installed version. Links below open the source advisory record; demo/offline fixtures are only used for the seeded demo packages.

High 2 packages · 11 advisories Packages whose highest matched advisory is high.

lodash 4.17.20 · npm · direct direct dependency

5 graphs available for this package version Shown once at high severity because that is the highest advisory on this package. Choose a graph to inspect the specific advisory and path.

HIGH 5 advisories

HIGH

GHSA-35jh-r3h4-6jhm Command Injection in lodash Fixed: 4.17.21 · CVE-2021-23337 · GitHub reviewed

HIGH

GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names Fixed: 4.18.0 · CVE-2026-4800 · GitHub reviewed

MEDIUM

GHSA-29mw-wpgm-hmr9 Regular Expression Denial of Service (ReDoS) in lodash Fixed: 4.17.21 · CVE-2020-28500 · GitHub reviewed

MEDIUM

GHSA-f23m-r3pf-42rh lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` Fixed: 4.18.0 · CVE-2026-2950 · GitHub reviewed

MEDIUM

GHSA-xxjr-mmjv-4gpg Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Fixed: 4.17.23 · CVE-2025-13465 · GitHub reviewed

axios 1.6.2 · npm · transitive transitive 1 level deep

6 graphs available for this package version Shown once at high severity because that is the highest advisory on this package. Choose a graph to inspect the specific advisory and path.

HIGH 6 advisories

HIGH

GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig Fixed: 0.30.3 · CVE-2026-25639 · GitHub reviewed

HIGH

GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check Fixed: 0.30.2 · CVE-2025-58754 · GitHub reviewed

HIGH

GHSA-8hc4-vh64-cxmj Server-Side Request Forgery in axios Fixed: 1.7.4 · CVE-2024-39338 · GitHub reviewed

HIGH

GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL Fixed: 0.30.0 · CVE-2025-27152 · GitHub reviewed

MEDIUM

GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF Fixed: 0.31.0 · CVE-2025-62718 · GitHub reviewed

MEDIUM

GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Fixed: 0.31.0 · CVE-2026-40175 · GitHub reviewed

Medium 1 packages · 2 advisories Packages whose highest matched advisory is medium.

follow-redirects 1.15.4 · npm · transitive transitive 2 levels deep

2 graphs available for this package version Shown once at medium severity because that is the highest advisory on this package. Choose a graph to inspect the specific advisory and path.

MEDIUM 2 advisories

SBOM Manifest

3 vulnerable package versions, 0 need exact versions, 6 clear package versions, sorted by risk first.

Component	Version	Ecosystem	Scope	Source	Package URL	Status
lodash	4.17.20	npm	Direct	Imported file	pkg:npm/lodash@4.17.20	HIGH 5 advisories
Choose a graph for lodash@4.17.20 5 advisories HIGH GHSA-35jh-r3h4-6jhm Command Injection in lodash Fixed: 4.17.21 HIGH GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names Fixed: 4.18.0 MEDIUM GHSA-29mw-wpgm-hmr9 Regular Expression Denial of Service (ReDoS) in lodash Fixed: 4.17.21 MEDIUM GHSA-f23m-r3pf-42rh lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` Fixed: 4.18.0 MEDIUM GHSA-xxjr-mmjv-4gpg Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Fixed: 4.17.23
axios	1.6.2	npm	Transitive	Imported file	pkg:npm/axios@1.6.2	HIGH 6 advisories
Choose a graph for axios@1.6.2 6 advisories HIGH GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig Fixed: 0.30.3 HIGH GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check Fixed: 0.30.2 HIGH GHSA-8hc4-vh64-cxmj Server-Side Request Forgery in axios Fixed: 1.7.4 HIGH GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL Fixed: 0.30.0 MEDIUM GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF Fixed: 0.31.0 MEDIUM GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Fixed: 0.31.0
follow-redirects	1.15.4	npm	Transitive	Imported file	pkg:npm/follow-redirects@1.15.4	MEDIUM 2 advisories
Choose a graph for follow-redirects@1.15.4 2 advisories MEDIUM GHSA-cxjh-pqwp-8mfp follow-redirects' Proxy-Authorization header kept across hosts Fixed: 1.15.6 MEDIUM GHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets Fixed: 1.16.0

Clear Dependencies 6 packages hidden Show clear packagesHide clear packages

Component	Version	Ecosystem	Scope	Source	Package URL	Status
@acme/auth-sdk	2.4.0	npm	Direct	Imported file	pkg:npm/@acme/auth-sdk@2.4.0	Clear
@acme/payments	1.9.3	npm	Direct	Imported file	pkg:npm/@acme/payments@1.9.3	Clear
@acme/ui-kit	5.1.0	npm	Direct	Imported file	pkg:npm/@acme/ui-kit@5.1.0	Clear
acme-platform	3.8.1	npm	Direct	Imported file	pkg:npm/acme-platform@3.8.1	Clear
jsonwebtoken	9.0.0	npm	Transitive	Imported file	pkg:npm/jsonwebtoken@9.0.0	Clear
stripe-sdk	14.1.0	npm	Transitive	Imported file	pkg:npm/stripe-sdk@14.1.0	Clear