HCL BigFix WebUI Vulnerabilities: jws, lodash, path-to-regexp, minimist, node-saml CVEs and Fixes

HCL BigFix WebUI Multiple Security Vulnerabilities Vulnerability Overview HCL BigFix WebUI is affected by multiple vulnerabilities in open-source components, including , , , , and . Affected Scope jws (CVE-2025-65945): Impacts BigFix WebUI Framework Application lodash (CVE-2025-13465): Impacts BigFix WebUI Framework Application path-to-regexp (CVE-2026-4867): Impacts BigFix WebUI Framework Application minimist (CVE-2025-34361): Impacts BigFix WebUI Framework Application node-saml (CVE-2025-54419): Impacts BigFix WebUI Framework Application Remediation jws: Upgrade to versions 3.2.3 and 4.0.1 lodash: Upgrade to version 4.17.23 path-to-regexp: Upgrade to version 6.3.0 minimist: Upgrade to version 1.2.8 node-saml: Upgrade to version 4.4.19 Detailed Vulnerability Information jws (CVE-2025-65945) CVSS Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description: is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier, and 4.0.0 and earlier, there is an incorrect signature verification vulnerability. When using the HS256 algorithm, under specific conditions, the application may use the function to process the HMAC algorithm, leading to data exposure. This issue has been patched in versions 3.2.3 and 4.0.1. lodash (CVE-2025-13465) CVSS Score: 7.5 CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N Description: Lodash versions 4.0.0 through 4.17.22 contain a prototype pollution vulnerability in the and functions. Attackers can pass forged paths to cause lodash to delete methods from the global prototype. The affected methods include , , , , among others.

Goal Reached Thanks to every supporter — we hit 100%!

HCL BigFix WebUI Vulnerabilities: jws, lodash, path-to-regexp, minimist, node-saml CVEs and Fixes