{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0eb80e15-1e97-51e0-810f-9c14d1b83bb5", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1", "type": "library", "name": "@astrojs/internal-helpers", "version": "4.16.19-tuxcare.1", "purl": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b8ad7d06-7274-5378-9ff9-c8c91ff5d1dd", "id": "AIKIDO-2025-10879", "analysis": { "state": "resolved", "detail": "Vulnerability AIKIDO-2025-10879 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b966874e-a5dd-5c9a-b4d4-57abada72fc5", "id": "CVE-2025-55303", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-55303 affects version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a8529859-29d2-5576-8f68-ec9f32f0de97", "id": "CVE-2025-61925", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-61925 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3b77f0bb-f749-52dc-bfe4-e4912b4ec0bc", "id": "CVE-2025-64525", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-64525 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:39980dcf-1f33-5559-af1e-43e42b127044", "id": "CVE-2025-64757", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-64757 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9d395d3b-9291-5470-a654-df10d7fbc1e7", "id": "CVE-2025-64764", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-64764 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:137c18ea-30bf-5e62-b3a0-3aac8a1ce673", "id": "CVE-2025-64765", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-64765 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0d945d71-71b9-5096-96fe-97bb6c6b2c48", "id": "CVE-2025-65019", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-65019 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0b6b24fc-b896-55f1-a2e4-7376d3312e51", "id": "CVE-2025-66202", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66202 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:920db793-2900-5412-8dfa-a2b955bb73c0", "id": "CVE-2026-32887", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-32887 is a false positive for @astrojs/internal-helpers 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-32887 concerns the Effect framework (TypeScript framework with RpcServer/HttpApp APIs), but the target repository is Astro (a website build tool). These are completely different projects with no dependency relationship. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:db0f7cc6-4084-5be3-9646-4a913d6ccc15", "id": "CVE-2026-33128", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-33128 is a false positive for @astrojs/internal-helpers 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-33128 concerns H3 framework, but the target repository is Astro framework. This is a wrong-project match with no code relationship between the two projects." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:791fd9ca-56dd-5d74-961b-3a0ef7faa31d", "id": "CVE-2026-33131", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-33131 is a false positive for @astrojs/internal-helpers 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-33131 concerns the H3 framework, but the target repository is Astro (version 4.16.19-tuxcare.1), a completely different web framework. H3 is not used as a dependency, not vendored in the source tree, and the affected components (NodeRequestUrl, FastURL) do not exist in this codebase. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:623b511c-85ba-5045-bf45-fdfe6bf3e492", "id": "CVE-2026-33490", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-33490 is a false positive for @astrojs/internal-helpers 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-33490 concerns H3 (a minimal HTTP framework), but the target repository is Astro (a website build tool). H3 is not present in this repository - no vendored code, no dependency, no imports. The only 'h3' references found are HTML heading components (

tags), unrelated to the H3 framework." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5a6c0ab6-1775-5baa-83f1-0b412a5c4243", "id": "CVE-2026-33769", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-33769 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3b4f9fd4-7b86-57ac-a373-7f6d420d2ffa", "id": "CVE-2026-41067", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41067 is fixed in version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:64415312-6a6f-5187-86db-02159c4e92f2", "id": "CVE-2026-45028", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45028 affects version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ba6b8f94-f051-5b16-93e0-39adfbe2527e", "id": "CVE-2026-50146", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50146 affects version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c30918f5-4e34-53bf-93e4-a8002b7ea70d", "id": "CVE-2026-54298", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54298 affects version 4.16.19-tuxcare.1 of @astrojs/internal-helpers." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cc48f5a7-8301-57c4-9cda-a0cfbb43c412", "id": "CVE-2026-54299", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54299 does not affect version 4.16.19-tuxcare.1 of @astrojs/internal-helpers. already_fixed \u2014 The target repository has already fixed this vulnerability via CVE-2026-25545 / AIKIDO-2025-10879 (May 7, 2026), which addresses the identical SSRF issue. The fix removes the prerendered error page fetching feature entirely, replacing it with direct SSR rendering. This is a more aggressive mitigation than the upstream's host validation approach." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a015b506-4894-508d-8573-f752ac63c0d0", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-4hxc-9384-m385 is a false positive for @astrojs/internal-helpers 4.16.19-tuxcare.1. false_positive \u2014 Wrong-project match: CVE GHSA-4hxc-9384-m385 concerns the h3 package's EventStream SSE injection vulnerability, but the target repository is Astro (version 4.16.19-tuxcare.1), a completely different web framework. The h3 package and its affected component are entirely absent from this repository." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e4c63833-4846-505b-9d5f-52cb5cef4eb3", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 is a false positive for @astrojs/internal-helpers 4.16.19-tuxcare.1. false_positive \u2014 This is a wrong-project match. The CVE GHSA-q5pr-72pq-83v3 concerns h3's chunked cookie handling vulnerability, but this repository is Astro (a website build tool), which does not use h3 or contain any h3 code." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1957b1c7-57e7-5b75-b19e-ec4c080d33d7", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 is a false positive for @astrojs/internal-helpers 4.16.19-tuxcare.1. false_positive \u2014 This advisory (GHSA-wr4h-v87w-p3r7) concerns the h3 library's serveStatic() function, but the target repository is Astro, a completely different web framework. The h3 library is not present in this repository in any form - not as the project itself, not as a vendored/bundled dependency, and not as a declared dependency." }, "affects": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40astrojs/internal-helpers@4.16.19-tuxcare.1" } ] }