Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Current release of @vue/cli-service is affected by CVE-2021-27290 Regular Expression Denial of Service in ssri

See original GitHub issue

Version

4.5.12

Environment info

Environment Info:

  System:
    OS: Linux 5.11 Arch Linux
    CPU: (8) x64 Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
  Binaries:
    Node: Not Found
    Yarn: 1.22.10 - /tmp/yarn--1618510365267-0.6910111220689819/yarn
    npm: 7.8.0 - /usr/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: 87.0
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  3.12.1 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli: ^4.5.4 => 4.5.11 
    @vue/cli-overlay:  4.5.12 
    @vue/cli-plugin-babel: ^3.5.0 => 3.12.1 
    @vue/cli-plugin-eslint: ^3.5.0 => 3.12.1 
    @vue/cli-plugin-router:  4.5.12 
    @vue/cli-plugin-vuex:  4.5.12 
    @vue/cli-service: ^4.5.4 => 4.5.12 
    @vue/cli-shared-utils:  4.5.11 (3.12.1, 4.5.12)
    @vue/cli-ui:  4.5.11 
    @vue/cli-ui-addon-webpack:  4.5.11 
    @vue/cli-ui-addon-widgets:  4.5.11 
    @vue/compiler-core:  3.0.7 
    @vue/compiler-dom:  3.0.7 
    @vue/compiler-sfc:  undefined (3.0.7)
    @vue/compiler-ssr:  3.0.7 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.0.7 
    @vue/runtime-core:  3.0.7 
    @vue/runtime-dom:  3.0.7 
    @vue/shared:  3.0.7 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^5.0.0 => 5.2.3 (4.7.1)
    typescript:  3.9.9 
    vue: ^2.6.10 => 2.6.12 (3.0.7)
    vue-cli-plugin-apollo:  0.21.3 
    vue-cli-plugin-vuetify: latest => 2.0.7 
    vue-cli-plugin-vuetify-essentials: latest => 0.8.3 
    vue-codemod:  0.0.4 
    vue-eslint-parser:  5.0.0 (2.0.3)
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.6 (16.2.0)
    vue-style-loader:  4.1.3 
    vue-template-compiler: 2.6.12 => 2.6.12 
    vue-template-es2015-compiler:  1.9.1 
    vuetify: ^2.1.11 => 2.3.14 
    vuetify-loader: ~>1.4.2 => 1.4.4 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

  • Require the latest stable version of the @vue/cli-service package in any app.
  • Run yarn audit.

What is expected?

The latest version of the software does not report any vulnerabilities.

What is actually happening?

The latest version of the software has two vulnerabilities from ssri, one from a direct dependency on the package.

My pipeline broke today once this vulnerability finally made it into the audit database.

https://www.npmjs.com/advisories/565

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:32
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

10reactions
sodateacommented, May 8, 2021

The ssri issue is fixed in v4.5.13

4reactions
undergroundwirescommented, Apr 16, 2021

My pipeline has been failing since yesterday and I tried with both 4.5.11 and 4.5.12 and both fails. I reproduced it on privacy.sexy with npm install and then npm audit after cloning.

here's the npm audit report 
# npm audit report

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix --force`
Will install @vue/cli-service@4.1.1, which is a breaking change
node_modules/@vue/cli-service/node_modules/ssri
node_modules/ssri
  @vue/cli-service  4.0.0-alpha.0 - 4.5.12
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of terser-webpack-plugin
  node_modules/@vue/cli-service
  cacache  10.0.4 - 11.0.0 || 13.0.0 - 14.0.0
  Depends on vulnerable versions of ssri
  node_modules/@vue/cli-service/node_modules/cacache
    terser-webpack-plugin  2.1.1 - 2.3.8
    Depends on vulnerable versions of cacache
    node_modules/@vue/cli-service/node_modules/terser-webpack-plugin

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

It seems to be caused by dependencies to ssri directly and through webpack-contrib/terser-webpack-plugin and cacache.

FYI ssri has backported the fix to 6.0.2

Read more comments on GitHub >

github_iconTop Results From Across the Web

Regular Expression Denial of Service (ReDoS) in ssri | Snyk
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). ssri processes SRIs using a regular expression ...
Read more >
CVE-2021-27290 | ssri Regular Expression denial of service - VulDB
A vulnerability was found in ssri up to 8.0.0 and classified as problematic. This issue affects an unknown code block of the component...
Read more >
How do you properly deal with Vue vulnerabilities when using ...
So I tried creating a Vue 2 project and it works fine, the only issue is that there are 20 vulnerabilities, where as...
Read more >
Vue Cli Regular Expression Denial of Service postcss
so why is my vue cli creating projects with the effected postcss@7.3.5? How can I get vue cli to use the patched version?...
Read more >
CVE-2021-27290 - ssri 5.2.2-8.0.0, fixed in 8.0.1, processes ...
CVE-2021-27290 ... using a regular expression which is vulnerable to a denial of service. ... This issue only affects consumers using the strict...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

The online environment url is modified when use publicPath

Next page

Jest and TSX are not working