Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security vulnerabilities in http-proxy and markdown-to-jsx
See original GitHub issueCurrent behavior
The dependencies
- vue-styleguidist>react-styleguidist>webpack-dev-server>http-proxy-middleware>http-proxy
- vue-styleguidist>webpack-dev-server>http-proxy-middleware>http-proxy
- vue-styleguidist>react-styleguidist>markdown-to-jsx
are reported with high vulnerabilities.
More information:
https://www.npmjs.com/advisories/1219 https://www.npmjs.com/advisories/1486
Our project audit-ci output:
audit-ci version: 2.5.1
NPM audit report results:
{
"advisories": {
"1219": {
"findings": [
{
"version": "6.11.1",
"paths": [
"vue-styleguidist>react-styleguidist>markdown-to-jsx"
]
}
],
"id": 1219,
"created": "2019-10-17T19:30:12.675Z",
"updated": "2020-05-20T01:58:17.837Z",
"deleted": null,
"title": "Cross-Site Scripting",
"found_by": {
"link": "",
"name": "Bob \"Wombat\" Hogg",
"email": ""
},
"reported_by": {
"link": "",
"name": "Bob \"Wombat\" Hogg",
"email": ""
},
"module_name": "markdown-to-jsx",
"cves": [],
"vulnerable_versions": ">=0.0.0",
"patched_versions": "<0.0.0",
"overview": "All versions of `simple-markdown` are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing `data` or VBScript URIs and a base64-encoded payload.",
"recommendation": "No fix is currently available. Consider using an alternative package until a fix is made available.",
"references": "",
"access": "public",
"severity": "high",
"cwe": "CWE-79",
"metadata": {
"module_type": "",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/1219"
},
"1486": {
"findings": [
{
"version": "1.17.0",
"paths": [
"@vue/cli-service>webpack-dev-server>http-proxy-middleware>http-proxy",
"vue-styleguidist>react-styleguidist>webpack-dev-server>http-proxy-middleware>http-proxy",
"vue-styleguidist>webpack-dev-server>http-proxy-middleware>http-proxy"
]
}
],
"id": 1486,
"created": "2020-02-21T14:16:24.023Z",
"updated": "2020-05-18T14:50:08.944Z",
"deleted": null,
"title": "Denial of Service",
"found_by": {
"link": "https://twitter.com/_awry",
"name": "Grant Murphy",
"email": ""
},
"reported_by": {
"link": "https://twitter.com/_awry",
"name": "Grant Murphy",
"email": ""
},
"module_name": "http-proxy",
"cves": [],
"vulnerable_versions": "<1.18.1",
"patched_versions": ">=1.18.1",
"overview": "Versions of `http-proxy` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an `ERR_HTTP_HEADERS_SENT` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the `proxyReq.setHeader` function. \n\nFor a proxy server running on `http://localhost:3000`, the following curl request triggers the unhandled exception: \n```curl -XPOST http://localhost:3000 -d \"$(python -c 'print(\"x\"*1025)')\"```",
"recommendation": "Upgrade to version 1.18.1 or later",
"references": "- [Patch PR](https://github.com/http-party/node-http-proxy/pull/1447/files)",
"access": "public",
"severity": "high",
"cwe": "CWE-400",
"metadata": {
"module_type": "",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/1486"
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 47850,
"moderate": 26,
"high": 4,
"critical": 0
},
"dependencies": 63,
"devDependencies": 3449,
"optionalDependencies": 87,
"totalDependencies": 3512
}
}
To reproduce
npm install --save-dev audit-ci
audit-ci --high
Audit fails.
Expected behavior
No vulnerabilities in dependencies. Audit passes.
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (8 by maintainers)
Top Results From Across the Web
NPM audit reports the package with high vulnerability (Denial ...
It got resolved through npm audit fix and just delete http-proxy from node-modules then do npm i. === npm audit security report ===...
Read more >Cross-site Scripting (XSS) in markdown-to-jsx | Snyk
This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload. Details. A cross-site ...
Read more >Microsoft Security Bulletin MS16-077 - Important
This security update resolves vulnerabilities in Microsoft Windows. ... vulnerabilities by correcting how Windows handles proxy discovery, ...
Read more >Denial of Service - http proxy - React - Stack Overflow
All versions of http-proxy are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled ...
Read more >Denial of Service Vulnerability in Envoy Proxy - CVE-2022 ...
JFrog Security Research discovers a new denial of service vulnerability in Envoy Proxy. Learn who is vulnerable and how to fix it.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@solidevolution Would you please check if it is fixed?
If it is not, please re-open this issue.
Thank you
It’s fixed, thanks!