Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZqdnctd2Ntdy1wcjI2

Insufficient Entropy in parsel

All versions of parsel use an insecure key derivation function. The package runs keys of arbitrary lengths through one round of SHA256 hashing for key stretching. This allows for the use of keys of insufficient entropy with inappropriate key stretching.

Recommendation

The package is deprecated and will not be updated. Consider using an alternative package.

Permalink: https://github.com/advisories/GHSA-vjvw-wcmw-pr26
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZqdnctd2Ntdy1wcjI2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: about 2 years ago

Identifiers: GHSA-vjvw-wcmw-pr26
References:

Blast Radius: 0.0

Affected Packages

npm:parsel

Dependent packages: 1
Dependent repositories: 24
Downloads: 60 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.3.0