Merge pull request #6626 from zapbot/retirejs-update

thc202 · web-flow · commit b5e550e82e76 · 2025-07-26T06:52:52.000+01:00
retire.js Update 2025-07-25
diff --git a/addOns/retire/CHANGELOG.md b/addOns/retire/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Updated with upstream retire.js pattern changes.
 
 ## [0.47.0] - 2025-06-20
 ### Changed
diff --git a/addOns/retire/src/main/resources/org/zaproxy/addon/retire/resources/jsrepository.json b/addOns/retire/src/main/resources/org/zaproxy/addon/retire/resources/jsrepository.json
@@ -6228,7 +6228,7 @@
         ]
       },
       {
-        "below": "0.21.3",
+        "below": "0.21.2",
         "severity": "high",
         "cwe": [
           "CWE-1333",
@@ -7378,6 +7378,28 @@
           "https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O"
         ]
       },
+      {
+        "atOrAbove": "13.0",
+        "below": "14.2.30",
+        "cwe": [
+          "CWE-1385"
+        ],
+        "severity": "low",
+        "identifiers": {
+          "summary": "Information exposure in Next.js dev server due to lack of origin verification",
+          "CVE": [
+            "CVE-2025-48068"
+          ],
+          "githubID": "GHSA-3h52-269p-cp9r"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-3h52-269p-cp9r",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r",
+          "https://nvd.nist.gov/vuln/detail/CVE-2025-48068",
+          "https://github.com/vercel/next.js",
+          "https://vercel.com/changelog/cve-2025-48068"
+        ]
+      },
       {
         "atOrAbove": "15.0.0",
         "below": "15.1.2",
@@ -7422,7 +7444,29 @@
         ]
       },
       {
-        "atOrAbove": "13.0",
+        "atOrAbove": "15.0.4-canary.51",
+        "below": "15.1.8",
+        "cwe": [
+          "CWE-444"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "### Summary\nA vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.\n\nUnder certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page\n\nMore details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826)\n\n## Credits\n- Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/)\n- Allam Yasser (inzo)",
+          "githubID": "GHSA-67rr-84xm-4c7r",
+          "CVE": [
+            "CVE-2025-49826"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r",
+          "https://github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2",
+          "https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93",
+          "https://github.com/vercel/next.js/releases/tag/v15.1.8",
+          "https://vercel.com/changelog/cve-2025-49826"
+        ]
+      },
+      {
+        "atOrAbove": "15.0.0",
         "below": "15.2.2",
         "cwe": [
           "CWE-1385"
@@ -7493,6 +7537,29 @@
           "https://github.com/vercel/next.js",
           "https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O"
         ]
+      },
+      {
+        "atOrAbove": "15.3.0",
+        "below": "15.3.3",
+        "cwe": [
+          "CWE-444"
+        ],
+        "severity": "low",
+        "identifiers": {
+          "summary": "### Summary\n\nA cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in **Next.js 15.3.3**.\n\nUsers on affected versions should **upgrade immediately** and **redeploy** to ensure proper caching behavior.\n\nMore details: [CVE-2025-49005](https://vercel.com/changelog/cve-2025-49005)",
+          "githubID": "GHSA-r2fc-ccr8-96c4",
+          "CVE": [
+            "CVE-2025-49005"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4",
+          "https://github.com/vercel/next.js/issues/79346",
+          "https://github.com/vercel/next.js/pull/79939",
+          "https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066",
+          "https://github.com/vercel/next.js/releases/tag/v15.3.3",
+          "https://vercel.com/changelog/cve-2025-49005"
+        ]
       }
     ],
     "extractors": {
@@ -8111,7 +8178,7 @@
         "/\\*[\\s*!]+(?:@license)?[\\s*]+(?:Lo-Dash|lodash|Lodash) v?(§§version§§)[\\s\\S]{1,200}Build: `lodash modern -o",
         "/\\*[\\s*!]+(?:@license)?[\\s*]+(?:Lo-Dash|lodash|Lodash) v?(§§version§§) <",
         "/\\*[\\s*!]+(?:@license)?[\\s*]+(?:Lo-Dash|lodash|Lodash) v?(§§version§§) lodash.com/license",
-        "=\"(§§version§§)\"[\\s\\S]{1,300}__lodash_hash_undefined__",
+        "=\"(§§version§§)(?<=[0-9]{1,2}\\.[0-9]{1,2}\\.[0-9]{1,2})\"[\\s\\S]{1,300}__lodash_hash_undefined__",
         "/\\*[\\s*]+@license[\\s*]+(?:Lo-Dash|lodhash|Lodash)[\\s\\S]{1,500}var VERSION *= *['\"](§§version§§)['\"]",
         "var VERSION=\"(§§version§§)\";var BIND_FLAG=1,BIND_KEY_FLAG=2,CURRY_BOUND_FLAG=4,CURRY_FLAG=8"
       ],
