Security: fix UI npm vulnerabilities (CVE-2026-1615, CVE-2025-50537, CVE-2025-14505, CVE-2025-30360, CVE-2025-30359, CVE-2024-11831)

Security Vulnerabilities in UI Dependencies

Tracking all open security vulnerabilities detected by Mend in ui/package.json (transitive npm dependencies). All found in master branch.

🔴 Critical

CVE-2026-1615 — Critical

Package: jsonpath-1.2.1 Path: @postgres.ai/ce → (transitive) → jsonpath Issue: Prototype pollution / arbitrary code execution via crafted JSONPath expressions. Fix: Upgrade jsonpath to a patched version (or replace with jsonpath-plus >=10.x) GitHub mirror: https://github.com/postgres-ai/database-lab-engine/issues/285

🟡 Medium

CVE-2025-50537 — Medium

Package: eslint-8.57.1 Path: @postgres.ai/ce → eslint Fix: Upgrade to >=9.x GitHub mirror: https://github.com/postgres-ai/database-lab-engine/issues/273 Status: ✅ GitHub PR open — https://github.com/postgres-ai/database-lab-engine/pull/274 (bumps eslint 8→9)

CVE-2025-14505 — Medium

Package: elliptic-6.6.1 Path: @postgres.ai/ce → (transitive) → elliptic Issue: Weak ECDH key generation, potential private key recovery. Fix: Upgrade elliptic to >=6.6.2 via pnpm.overrides GitHub mirror: https://github.com/postgres-ai/database-lab-engine/issues/270

CVE-2025-30360 — Medium

Package: webpack-dev-server-4.15.2 Path: @postgres.ai/ce → react-scripts → webpack-dev-server Issue: DNS rebinding via Host header bypass. Fix: Upgrade webpack-dev-server to >=5.x via pnpm.overrides GitHub mirror: https://github.com/postgres-ai/database-lab-engine/issues/236

CVE-2025-30359 — Medium

Package: webpack-dev-server-4.15.2 Path: @postgres.ai/ce → react-scripts → webpack-dev-server Issue: WebSocket origin validation bypass. Fix: Same as above — upgrade to >=5.x GitHub mirror: https://github.com/postgres-ai/database-lab-engine/issues/235

CVE-2024-11831 — Medium

Package: serialize-javascript-4.0.0 Path: @postgres.ai/ce → react-scripts → terser-webpack-plugin → serialize-javascript Issue: XSS via insufficient escaping of special HTML characters in serialized output. Fix: Upgrade serialize-javascript to >=6.0.2 via pnpm.overrides GitHub mirror: https://github.com/postgres-ai/database-lab-engine/issues/229

Fix Plan

Add/update pnpm.overrides entries in ui/package.json:

"pnpm": {
  "overrides": {
    "jsonpath": "npm:jsonpath-plus@>=10.0.0",
    "elliptic@<6.6.2": ">=6.6.2",
    "webpack-dev-server@<5.0.0": ">=5.0.0",
    "serialize-javascript@<6.0.2": ">=6.0.2"
  }
}

Bump eslint directly in devDependencies to >=9.x.

Previously resolved (auto-closed)

CVE-2026-27606 (Critical) — rollup — fixed via pnpm.overrides
CVE-2026-27904 (High) — minimatch — fixed via pnpm.overrides
CVE-2026-2739 (Medium) — bn.js — fixed via pnpm.overrides
CVE-2024-27304 — pgtype (Go) — fixed in v4.0.4 via MR !1086 (merged)

Edited Feb 27, 2026 by Maya P