See on npm

bignum 0.13.0

2 security vulnerabilities found in version 0.13.0

Malware in pre-build binaries of bignum

critical severity GHSA-7cgc-fjv4-52x6
critical severity GHSA-7cgc-fjv4-52x6
Affected versions: >= 0.12.2, < 0.13.1

Impact

bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer.

Patches

v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.

Uncaught Exception in bignum

high severity CVE-2022-25324
high severity CVE-2022-25324
Affected versions: <= 0.13.1

All versions of the npm package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8. When verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks.

npm package version without a license.

Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This package version is available.

This package version has not been yanked and is still available for usage.