Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Snyk reports high risk severity for acorn in react-scripts

See original GitHub issue

Describe the bug

Snyk reports high severity issue with react-scripts. See details below:

Regular Expression Denial of Service (ReDoS)

Vulnerable module: acorn
Introduced through: react-scripts@3.4.0
Exploit maturity: No known exploit
Fixed in: 7.1.1

Detailed paths

Introduced through: react-experiment@0.3.3 › react-scripts@3.4.0 › webpack@4.41.5 › acorn@6.4.0
Remediation: No remediation path available.
Introduced through: react-experiment@0.3.3 › react-scripts@3.4.0 › jest-environment-jsdom-fourteen@1.0.1 › jsdom@14.1.0 › acorn@6.4.0
Remediation: No remediation path available.
Introduced through: react-experiment@0.3.3 › react-scripts@3.4.0 › jest-environment-jsdom-fourteen@1.0.1 › jsdom@14.1.0 › acorn-globals@4.3.4 › acorn@6.4.0
Remediation: No remediation path available.

…and 14 more Overview

acorn is a tiny, fast JavaScript parser written in JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via a regex in the form of /[x-\ud800]/u, which causes the parser to enter an infinite loop.

This string is not a valid UTF16 and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to acorn, will allow attackers to leverage the vulnerability leading to a Denial of Service.

Did you try recovering your dependencies?

Yes.

Please paste the output of `npm --version` and/or `yarn --version` to confirm.

6.13.7

Which terms did you search for in User Guide?

Not applicable.

Environment

Environment Info:

System: OS: Windows 7 6.1.7601 CPU: (8) x64 Intel® Core™ i7-4790K CPU @ 4.00GHz Binaries: Node: 12.16.1 - C:\Program Files\nodejs\node.EXE Yarn: 1.21.1 - C:\Program Files (x86)\Yarn x\bin\yarn.CMD npm: 6.13.7 - C:\Program Files\nodejs\npm.CMD Browsers: Internet Explorer: 11.0.9600.19301 npmPackages: react: ^16.13.0 => 16.13.0 react-dom: ^16.13.0 => 16.13.0 react-scripts: 3.4.0 => 3.4.0 npmGlobalPackages: create-react-app: Not Found

Steps to reproduce

Install new version of React.

(Write your steps here:)

npx create-react-app my-app
Test with Snyk.io

Issue Analytics

State:
Created 4 years ago
Reactions:30
Comments:28 (1 by maintainers)

Top GitHub Comments

24reactions

vanskinscommented, Mar 9, 2020

This needs to be fixed asap because it affect developers using create-react-app.

16reactions

Caruso33commented, Mar 9, 2020

Running npm, I was able to fix it temporarily by adding to package.json scripts: "preinstall": "npx npm-force-resolutions",

and adding to package.json "resolutions": { "acorn": "^7.1.1" }

waiting for react-scripts update though.

Top Results From Across the Web

acorn - npm Package Health Analysis - Snyk

Learn more about acorn: package health score, popularity, security, maintenance, versions and more. ... Security and license risk for significant versions.

Fixing security vulnerabilities in npm dependencies in less ...

Today when I started working I had to deal with this error where acorn and minimist were being reported as security vulnerabilities. Solution....

Profile for Snyk Ltd - Linknovate

The XSS vulnerability enables attackers to inject client-side scripts into web pages viewed by other users. This security risk can have serious consequences ......

On Measuring JavaScript Vulnerabilities in the NPM Packages ...

(high) severity; several other CVE requests are still in the process now. ... As of July 2021, the most frequent vulnerability reports in...

Search Results - CVE

Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock ... Java 1.7 and higher users: this vulnerability is fixed in...