Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability on the module node-forge

See original GitHub issue

🐛 bug report

There is a security vulnerability on the module node-forge. Here is the link of the information about the vulnerability: https://www.npmjs.com/advisories/1561

🤔 Expected Behavior

No security vulnerabilities when you execute npm audit

😯 Current Behavior

There is a security vulnerability when you execute npm audit

Here is he terminal message:


                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Prototype Pollution in node-forge                             

  Package         node-forge                                                    

  Patched in      >= 0.10.0                                                     

  Dependency of   parcel [dev]                                                  

  Path            parcel > node-forge                                           

  More info       https://npmjs.com/advisories/1561

💁 Possible Solution

Execute an npm audit fix will solve the issue

🔦 Context

I’m a developer using this npm package and it affect my app.

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:6

Top GitHub Comments

4reactions

mohameddahroujcommented, Oct 2, 2020

I also came across this issue. The latest stable version looks to be v1.12.4 which depends on v0.7.6 of node-forge. The next version that resolves the vulnerability and references v0.10.0 of node-forge is v2.0.0-beta.1.

2reactions

mmikhalkocommented, Nov 25, 2020

Please provide the patch for v1, I won’t use v2 as a beta!

Top Results From Across the Web

Vulnerability detected in node-forge - Stack Overflow

I've recently started a new Vue.js project. After my most recent GitHub commit, I received the following Dependabot notice: Known high severity ...

A security vulnerability in Node.js node-forge module affects ...

DESCRIPTION: Node.js node-forge could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability.

node-forge - Snyk Vulnerability Database

version published direct vulnerabilities 1.3.1 29 Mar, 2022 0. C. 0. H. 0. M. 0. L 1.3.0 17 Mar, 2022 0. C. 0. H. 0....

Vulnerability Details : CVE-2020-7720

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing ...

A security vulnerability in Node.js node-forge module ... - Vulners

Summary A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager. Vulnerability Details CVEID: CVE-2022-0122 DESCRIPTION: ...