CVE-2025-1647 (Medium) detected in bootstrap-3.4.1.tgz

[mend-bolt-for-github]

CVE-2025-1647 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.4.1.tgz

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.4.1.tgz

Path to dependency file: /vendor/cache/manageiq-ui-classic-7f79b2437418/package.json

Path to vulnerable library: /vendor/cache/manageiq-ui-classic-7f79b2437418/package.json

Dependency Hierarchy:

• patternfly-3.59.5.tgz (Root Library)
  • ❌ bootstrap-3.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 99489caead4b82daad011bd2d1b5f720b8428654

Found in base branch: master

Vulnerability Details

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.

Publish Date: 2025-05-15

URL: CVE-2025-1647

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2025-1647

Release Date: 2025-05-15

Fix Resolution: bootstrap - 4.0.0

---

Step up your Open Source Security Game with Mend here