AhmedAliAbdAlMowla/simple-api
https://github.com/AhmedAliAbdAlMowla/simple-apiScanned on Mar 16, 2026
AI Assessment
VERDICT
This project is not production-ready. Multiple high-severity CVEs in core dependencies (multer, minimatch, tar, body-parser) create significant security risks that must be addressed before deployment.
TOP RISKS
→ CVE-2025-9288 in sha.js@2.4.11 flagged as CRITICAL in package-lock.json — scanner detected a vulnerability in a cryptographic dependency
→ 8 HIGH CVEs in multer@1.4.4-lts.1 flagged across package-lock.json — file upload handling library has multiple reported vulnerabilities
→ 6 HIGH CVEs in tar@6.2.0 flagged across package-lock.json — archive processing library has multiple security issues
→ 4 HIGH CVEs in minimatch@3.1.2 flagged across package-lock.json — pattern matching library has multiple vulnerabilities
→ Code quality issues: 35 format violations, 34 parse errors, 18 import organization issues across the codebase
WHAT TO FIX FIRST
Update multer@1.4.4-lts.1 in package-lock.json. This dependency carries 8 separate HIGH CVE flags and directly impacts file upload security — a common attack vector for web APIs.
SECONDARY CONCERNS
The scanner flagged 45 dependency issues total. Beyond the critical updates, audit and patch: sha.js, body-parser, minimatch, tar, path-to-regexp, jws, and others listed in package-lock.json. Code quality shows 140 low-priority linting issues (formatting, unused parameters, imports). Best practices are incomplete: no CI/CD configuration, no SECURITY.md, minimal README.
NOTE: Verify flagged CVEs against your actual code usage — some may be false positives if vulnerable code paths are not active.
Category Breakdown
Findings(189 in 56 groups)
sha.js: Missing type checks leading to hash rewind and passing on crafted data | Fix available: 2.4.12 | Package: sha.js (npm) | https://avd.aquasec.com/nvd/cve-2025-9288
Affected files
body-parser: Denial of Service Vulnerability in body-parser | Fix available: 1.20.3 | Package: body-parser (npm) | https://avd.aquasec.com/nvd/cve-2024-45590
Affected files
minimatch: minimatch: Denial of Service via specially crafted glob patterns | Fix available: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | Package: minimatch (npm) | https://avd.aquasec.com/nvd/cve-2026-26996
Affected files
minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns | Fix available: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | Package: minimatch (npm) | https://avd.aquasec.com/nvd/cve-2026-27903
Affected files
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions | Fix available: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | Package: minimatch (npm) | https://avd.aquasec.com/nvd/cve-2026-27904
Affected files
path-to-regexp: Backtracking regular expressions cause ReDoS | Fix available: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | Package: path-to-regexp (npm) | https://avd.aquasec.com/nvd/cve-2024-45296
Affected files
multer: Multer Denial of Service | Fix available: 2.0.2 | Package: multer (npm) | https://avd.aquasec.com/nvd/cve-2025-7338
Affected files
multer: Multer: Denial of Service via dropped file upload connections | Fix available: 2.1.0 | Package: multer (npm) | https://avd.aquasec.com/nvd/cve-2026-2359
Affected files
multer: Multer: Denial of Service via malformed requests | Fix available: 2.1.0 | Package: multer (npm) | https://avd.aquasec.com/nvd/cve-2026-3304
Affected files
multer: Multer: Denial of Service via malformed requests | Fix available: 2.1.1 | Package: multer (npm) | https://avd.aquasec.com/nvd/cve-2026-3520
Affected files
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmmt5z55s0003kt04eijqd3nm)