High-severity CVEs documented under OWASP A06 and CWE-1357 may not have immediate public exploits, but they represent scored weaknesses in production code that attackers actively scan for. A high-severity SSRF vulnerability in axios (CVE-2021-3749) or a ReDoS in a string-processing library can be chained with other weaknesses to achieve full compromise. SSDF PW.4 requires software weaknesses be identified and addressed; carrying known high-severity CVEs means that control is failing. Unlike critical CVEs, high-severity issues may not immediately block your CI, but they accumulate into a risk debt that eventually gets called in — often at the worst possible moment. The fix window should be measured in days, not sprints.
High because these CVEs have confirmed security impact and are often exploitable given the right application context, even if they lack a universal remote exploit.
Resolve high-severity CVEs this sprint. Run the audit scoped to production dependencies only:
npm audit --omit=dev --audit-level=high
npm audit fix
For transitive vulnerabilities that can't be auto-fixed, use overrides in package.json to force the patched version. Verify resolution by re-running npm audit --omit=dev --audit-level=high and confirming zero findings.
ID: dependency-supply-chain.security-vulns.no-high-cves
Severity: high
What to look for: Examine production dependencies for known high-severity CVEs. Same methodology as the critical CVE check — run npm audit --audit-level=high --omit=dev if possible, or inspect lock file versions against known high-severity ranges. Focus specifically on dependencies, not devDependencies. Important: ESLint, TypeScript, testing frameworks, and similar build/dev tools in devDependencies are NOT considered production runtime even in Next.js or similar SSR frameworks — they do not execute in the deployed application. CVEs in devDependencies are out of scope for this check regardless of framework. Count all instances found and enumerate each.
Pass criteria: No known high-severity CVEs found in production dependencies. The implementation must be verifiable by examining the codebase and must handle the documented requirements completely. At least 1 implementation must be confirmed.
Fail criteria: One or more production dependencies have known high-severity CVEs.
Error when: package.json cannot be located or read.
Skip (N/A) when: Same as critical CVE check — no npm ecosystem detected.
Detail on fail: Name the affected package(s) and their installed version. Example: "axios@0.21.0 in dependencies has high-severity SSRF vulnerability (CVE-2021-3749). Update to >=0.21.1." Max 3 packages listed.
Remediation: High-severity CVEs in production dependencies represent significant risk. They may not be immediately exploitable from your attack surface, but they should be addressed within your current sprint.
npm audit fix
# For manual upgrades:
npm install axios@latest
If the vulnerability is in a transitive dependency, check the upstream package for a patched version, or use overrides as a temporary shim. Verify your fix: npm audit --omit=dev --audit-level=high.