Skip to content

react is vulnerable #5049

New issue
New issue
Closed
Closed
react is vulnerable#5049
@RDIL

Description

@RDIL
RDIL
opened on Sep 20, 2018

here are vulnerabilities (credit to snyk.io):

Denial of Service (DoS)

Vulnerable module: mem
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › webpack@3.8.1 › yargs@8.0.2 › os-locale@2.1.0 › mem@1.1.0
Remediation: No remediation path available.

Overview

mem is an optimization technique used to speed up consecutive function calls by caching the result of calls with identical input.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. Old results are not deleted from the cache and could cause a memory leak.
More about this issue
medium severity
Regular Expression Denial of Service (ReDoS)

Vulnerable module: content-type-parser
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-environment-jsdom@20.0.3 › jsdom@9.12.0 › content-type-parser@1.0.2
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-config@20.0.4 › jest-environment-jsdom@20.0.3 › jsdom@9.12.0 › content-type-parser@1.0.2
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-environment-jsdom@20.0.3 › jsdom@9.12.0 › content-type-parser@1.0.2
Remediation: No remediation path available.

Overview

content-type-parser parses the Content-Type header field into an introspectable data structure.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the user agent parser. It used a regular expression (/^(.?)/(.?)([\t ];.)?$/) in order to parse user agents. This can cause a very moderate impact of about 4 seconds matching time for data 30k characters long.
More about this issue
medium severity
Time of Check Time of Use (TOCTOU)

Vulnerable module: chownr
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › webpack@3.8.1 › watchpack@1.6.0 › chokidar@2.0.4 › fsevents@1.2.4 › node-pre-gyp@0.10.3 › tar@4.4.6 › chownr@1.1.1
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › webpack-dev-server@2.11.3 › chokidar@2.0.4 › fsevents@1.2.4 › node-pre-gyp@0.10.3 › tar@4.4.6 › chownr@1.1.1
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › fsevents@1.2.4 › node-pre-gyp@0.10.3 › tar@4.4.6 › chownr@1.1.1
Remediation: No remediation path available.

Overview

Affected versions of chownr are vulnerable to Time of Check Time of Use (TOCTOU). It does not dereference symbolic links and changes the owner of the link.
More about this issue
low severity
Regular Expression Denial of Service (ReDoS)

Vulnerable module: eslint
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › eslint@4.10.0
Remediation: No remediation path available.

Overview

eslint is an AST-based pattern checker for JavaScript.

Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 100k characters long.
More about this issue
low severity
Regular Expression Denial of Service (ReDoS)

Vulnerable module: braces
Introduced through: react-scripts@1.1.5

Detailed paths and remediation

Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-jasmine2@20.0.4 › jest-snapshot@20.0.3 › jest-util@20.0.3 › jest-message-util@20.0.3 › micromatch@2.3.11 › braces@1.8.5
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-jasmine2@20.0.4 › jest-matchers@20.0.3 › jest-message-util@20.0.3 › micromatch@2.3.11 › braces@1.8.5
Remediation: No remediation path available.
Introduced through: areactapp@1.0.0 › react-scripts@1.1.5 › jest@20.0.4 › jest-cli@20.0.4 › jest-runtime@20.0.4 › jest-config@20.0.4 › jest-environment-jsdom@20.0.3 › jest-util@20.0.3 › jest-message-util@20.0.3 › micromatch@2.3.11 › braces@1.8.5
Remediation: No remediation path available.

…and 25 more
Overview

braces is a Bash-like brace expansion, implemented in JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

Activity

gaearon

gaearon commented on Sep 20, 2018

@gaearon
gaearon
on Sep 20, 2018
Contributor

It's a development dependency in all of the above cases.
There is no attack vector here — you can safely consider this a false positive and ignore it.

gaearon
closed this as completedon Sep 20, 2018
RDIL

RDIL commented on Sep 21, 2018

@RDIL
RDIL
on Sep 21, 2018
ContributorAuthor

ok thanks

lock
locked and limited conversation to collaborators on Jan 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @gaearon@RDIL

        Issue actions
          react is vulnerable · Issue #5049 · facebook/create-react-app