Security Issue Flagged by Snyk

[gregorymey-dev]

Hi Guys,

Thanks for the awesome tool.

Could you investigate the vulnerabilities that Snyk flagged.

✗ Arbitrary Code Injection [Medium Severity][https://snyk.io/vuln/SNYK-JS-EJS-1049328] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > @surma/[email protected] > [email protected]
This issue was fixed in versions: 3.1.6
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
This issue was fixed in versions: 5.1.2
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-ISSVG-1085627] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
This issue was fixed in versions: 4.2.2
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-SSRI-1085630] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
This issue was fixed in versions: 8.0.1

[candrews]

See https://snyk.io/vuln/SNYK-JS-SSRI-1085630

This issue is a duplicate of #10699

[carbonphyber]

Note that the first comment is a dump of multiple security reports and the second only describes 1 and refers to another GH Issue about that 1 security issue. Issue #10699 is only a partial duplicate of #10698 (this Issue).

Linkifying the SNYK security reports:

• Arbitrary Code Injection [Medium Severity] https://snyk.io/vuln/SNYK-JS-EJS-1049328 in [email protected] introduced by [email protected] > [email protected] > [email protected] > @surma/[email protected] > [email protected]. This issue was fixed in versions: 3.1.6
• Regular Expression Denial of Service (ReDoS) [Medium Severity] https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 in [email protected] introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]. This issue was fixed in versions: 5.1.2
• Regular Expression Denial of Service (ReDoS) [Medium Severity] https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307 in [email protected] introduced by [email protected] > [email protected]. No upgrade or patch available.
• Regular Expression Denial of Service (ReDoS) [Medium Severity] https://snyk.io/vuln/SNYK-JS-ISSVG-1085627 in [email protected] introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]. This issue was fixed in versions: 4.2.2
• Regular Expression Denial of Service (ReDoS) [High Severity] https://snyk.io/vuln/SNYK-JS-SSRI-1085630 in [email protected] introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected]. This issue was fixed in versions: 8.0.1

[gregorymey-dev]

Note that the first comment is a dump of multiple security reports and the second only describes 1 and refers to another GH Issue about that 1 security issue. Issue #10699 is only a partial duplicate of #10698 (this Issue).

Linkifying the SNYK security reports:

• Arbitrary Code Injection [Medium Severity] https://snyk.io/vuln/SNYK-JS-EJS-1049328 in [email protected] introduced by [email protected] > [email protected] > [email protected] > @surma/[email protected] > [email protected]. This issue was fixed in versions: 3.1.6
• Regular Expression Denial of Service (ReDoS) [Medium Severity] https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 in [email protected] introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]. This issue was fixed in versions: 5.1.2
• Regular Expression Denial of Service (ReDoS) [Medium Severity] https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307 in [email protected] introduced by [email protected] > [email protected]. No upgrade or patch available.
• Regular Expression Denial of Service (ReDoS) [Medium Severity] https://snyk.io/vuln/SNYK-JS-ISSVG-1085627 in [email protected] introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]. This issue was fixed in versions: 4.2.2
• Regular Expression Denial of Service (ReDoS) [High Severity] https://snyk.io/vuln/SNYK-JS-SSRI-1085630 in [email protected] introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected]. This issue was fixed in versions: 8.0.1

Thanks, I've noticed I accidently copied [email protected] into the message, this section should not be there.

[nj314]

@gregorymey-dev This issue needs to be reopened as there is no other issue covering the [email protected] vuln, which currently does not have a patch version available, so react-scripts needs changes to produce an upgrade to ejs@^3.1.6. As stated by @carbonphyber , this issue is only a partial duplicate of #10699 . We need this issue to capture the necessary major version upgrade from ejs 2 to 3.

[gusliedke]

Indeed. This still needs to be fixed. We need to upgrade [email protected] to [email protected].

Arbitrary Code Injection
Affected module: [email protected]
Exploit maturity: Proof of Concept
Fixed in: [email protected]

[email protected]  ›  [email protected]  ›  [email protected]  ›  @surma/[email protected]  ›  [email protected]```

[senkevichdv]

Any updates on this issue? I see this issue is still closed

Arbitrary Code Injection
Affected module: [email protected]
Introduced through: [email protected]
Exploit maturity: Proof of Concept
Fixed in: [email protected]

Introduced through:   [email protected]  ›  [email protected]  ›  [email protected]  ›  @surma/[email protected]  ›  [email protected]

[gregorymey-dev]

Hi Guys,

Was out of circulation for a while, IO would want to re-open this case.

[gaearon]

None of these issues affect how CRA uses these dependencies. There is nothing to address here.
#11174