Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RE DoS + Prototype pollution vulnerability

See original GitHub issue

Issue details

NPM flagged a vulnerability regarding this package due to a Regular Expression Denial of Service found in its debug dependency as follows:

 Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > localtunnel > debug                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534

There’s also an apparent Prototype Pollution in its lodash dependency as follows:

 Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > easy-extender > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577

Steps to reproduce/test case

# cd to a project that uses browser-sync as a dev dependency
npm audit #or nsp check

Please specify which version of Browsersync, node and npm you’re running

Browsersync [2.24.6]
Node [10.7.0]
Npm [6.2.0]

Affected platforms

linux
windows
OS X
freebsd
solaris
other (please specify which)

Browsersync use-case

API
Gulp
Grunt
CLI

If CLI, please paste the entire command below

{cli command here}

for all other use-cases, (gulp, grunt etc), please show us exactly how you’re using Browsersync

    if (app.get('browser') || process.env.BROWSER) {
      require('browser-sync')({
        proxy: `localhost:${port}`,
        files: ['public/**/*.{js,css}']
      });
    }

Issue Analytics

State:
Created 5 years ago
Reactions:11
Comments:5 (2 by maintainers)

Top GitHub Comments

2reactions

adamjaffebackcommented, Sep 11, 2018

FYI, localtunnel updated their dependencies with https://github.com/localtunnel/localtunnel/pull/256 and released to v1.9.1 to fix their end.

1reaction

jt2kcommented, Oct 4, 2018

@shakyShane Thanks for fixing this! I see the change is tagged with a 2.25.0 alpha release. When will the final version be released?

Top Results From Across the Web

What is prototype pollution? | Tutorial & examples - Snyk Learn

Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of an ...

What Is Prototype Pollution? | Risks & Mitigation - Imperva

This vulnerability is called prototype pollution because it allows threat actors to inject values that overwrite or pollute the “prototype” of a base...

The Complete Guide to Prototype Pollution Vulnerabilities

In this article, we're going to take a deep dive into what Prototype Pollution vulnerabilities are, and how they can be mitigated.

Exploiting Prototype Pollution. Introduction: | by Zub3r | Medium

Prototype pollution is a bug that is not yet as well documented as some of the major ones known to the public such...

Prototype pollution: The dangerous and underrated ...

The security hole was a prototype pollution bug – a type of vulnerability that allows attackers to exploit the rules of the JavaScript ......