Skip to content

Github is showing security warnings to react apps about serialize-javascript dependency before 2.1.1 #17559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
arye-eidelman opened this issue Dec 9, 2019 · 5 comments
Closed

Github is showing security warnings to react apps about serialize-javascript dependency before 2.1.1 #17559

arye-eidelman opened this issue Dec 9, 2019 · 5 comments

Comments

@arye-eidelman
Copy link

arye-eidelman commented Dec 9, 2019
edited
Loading

Do you want to request a feature or report a bug? Bug

What is the current behavior?
React apps use a version of serialize-javascript that creates this warning github.com/yahoo/serialize-javascript/.../advisories/GHSA-h9rv-jmmf-4pgx.
An updated version ^2.1.1 was just released to fix this issue.

Impact

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions.

This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.

If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Patches

This was patched in v2.1.1.

Reproduction steps

npx create-react-app testing-latest-react

(React version 16.12.0)

What is the expected behavior?

Which versions of React, and which browser / OS are affected by this issue? Did this work in previous versions of React?

This security advisory was just created 5 days ago. I don't know what older react versions are affected.
@bvaughn
Copy link
Contributor

bvaughn commented Dec 9, 2019

Could you clarify what you mean by "React apps"

Looks like React depends on serialize-javascript because of terser-webpack-plugin. This shouldn't actually impact React app code though, since it's not actually bundled with React- just one of the tools used by the build toolchain.

@arye-eidelman
Copy link
Author

arye-eidelman commented Dec 9, 2019
edited
Loading

New apps created with npx create-react-app get this warning.

@arye-eidelman
Copy link
Author

I'm not saying specifically that this vulnerability affects react apps, just that new react apps get this warning on Github.

@bvaughn
Copy link
Contributor

bvaughn commented Dec 9, 2019
edited
Loading

Sounds like an issue that should be filed against the create-react-app repo then? Looks like it already has been:

facebook/create-react-app#8100

There's nothing about React apps that requires the use of this plugin. It's just something being used by react-scripts/Webpack.

@arye-eidelman arye-eidelman changed the title serialize-javascript dependency before 2.1.1 security warning (REGEX XSS vulnerability) Github is showing security warnings to react apps about serialize-javascript dependency before 2.1.1 Dec 9, 2019
@bvaughn
Copy link
Contributor

bvaughn commented Dec 9, 2019

Thanks for the heads up though!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bvaughn @arye-eidelman