{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:06f6c93b-ca74-5e22-b0f5-445f8d753691", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/loopback@1.10.0", "type": "library", "name": "loopback", "version": "1.10.0", "purl": "pkg:npm/loopback@1.10.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6dbf6931-1f0e-541d-a4ba-170dcfefee44", "id": "CVE-2017-16137", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2017-16137 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:dd893ff4-b06b-5886-9273-33e242393c4f", "id": "CVE-2017-20165", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2017-20165 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:de23b0af-79c3-5021-b7a4-ad25fa07be4d", "id": "CVE-2020-7769", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-7769 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:f271d5ce-9632-5817-b31f-2991f9678666", "id": "CVE-2021-23358", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-23358 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:82736875-fb83-5391-9fcf-8d6012486309", "id": "CVE-2021-23400", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-23400 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:2b449fe5-3e0e-5af0-995c-5cb35d9ad80c", "id": "CVE-2023-28155", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-28155 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:daa6c2ec-918f-55e1-a96e-a4dc25d9b6fe", "id": "CVE-2025-13033", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-13033 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:f877be81-4ea0-523c-b2a5-0a2419e35a43", "id": "CVE-2025-14874", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-14874 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:516d0cf4-7a15-5130-bb43-cf77d334d6e0", "id": "GHSA-268h-hp4c-crq3", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-268h-hp4c-crq3 does not affect version 1.10.0 of loopback. not_affected \u2014 The target repository (LoopBack 1.10.0-tuxcare.2) does not contain the vulnerable code pattern described in GHSA-268h-hp4c-crq3. The vulnerability exists in nodemailer's List-* header construction logic, which is not present in LoopBack's codebase. LoopBack acts as a pass-through wrapper that delegates email sending to nodemailer without implementing any List-* header processing itself." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:566aaaf7-fbf7-5422-982c-2bbf94e392c3", "id": "GHSA-8wgc-jjvv-cv6v", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-8wgc-jjvv-cv6v affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:fd08c91a-6763-5387-87c3-e55d84ef0c9a", "id": "GHSA-9h6g-pr28-7cqp", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-9h6g-pr28-7cqp affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:fc7ad85b-5f2b-52d2-a21e-9b7a0ce9cbd5", "id": "GHSA-c7w3-x93f-qmm8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c7w3-x93f-qmm8 affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:22a3db91-065b-5b0c-8be0-e7f465d321c5", "id": "GHSA-r7g4-qg5f-qqm2", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-r7g4-qg5f-qqm2 does not affect version 1.10.0 of loopback. not_affected \u2014 The target repository (LoopBack 1.10.0-tuxcare.2) uses Nodemailer ~0.7.1 as a dependency. This version predates the vulnerable lib/fetch/index.js module by approximately 5+ years. The CVE describes a TLS certificate verification bypass in Nodemailer's internal HTTPS fetch client used for OAuth2 token retrieval, but Nodemailer 0.7.1 has a fundamentally different architecture that does not includ..." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:fb56dd7b-2397-5223-be00-62ee9ba5c343", "id": "GHSA-v2p6-4mp7-3r9v", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-v2p6-4mp7-3r9v affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:371f30bc-5ff3-5d3e-b1c6-752399ce80be", "id": "GHSA-vvjj-xcjg-gr5g", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-vvjj-xcjg-gr5g affects version 1.10.0 of loopback." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }, { "bom-ref": "urn:uuid:4761988e-93e9-54ee-b56b-3419696f35aa", "id": "GHSA-wqvq-jvpq-h66f", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-wqvq-jvpq-h66f does not affect version 1.10.0 of loopback. not_affected \u2014 The target repository uses nodemailer version 0.7.1 (July 2014), which predates the introduction of the vulnerable features by approximately 2.5 years. The vulnerability requires jsonTransport feature with disableFileAccess/disableUrlAccess security options, which were not introduced until nodemailer 3.x (January-February 2017). These features and the vulnerable code path do not exist in versio..." }, "affects": [ { "ref": "pkg:npm/loopback@1.10.0" } ] } ], "dependencies": [ { "ref": "pkg:npm/loopback@1.10.0" } ] }