Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
Vulnerability in "node-forge" transitive dependency of "webpack-dev-server" in "@vue/cli-service": Prototype Pollution
See original GitHub issueVersion
4.5.6
Environment info
Environment Info:
System:
OS: Windows 10 10.0.19041
CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Binaries:
Node: 12.18.3 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm: 6.14.8 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: 85.0.4183.121
Edge: Spartan (44.19041.423.0), Chromium (85.0.564.63), ChromiumDev (87.0.654.0)
npmPackages:
@ant-design-vue/babel-helper-vue-transform-on: 1.0.1
@types/vue2-editor: ^2.6.0 => 2.6.0
@vue/babel-helper-vue-jsx-merge-props: 1.0.0
@vue/babel-plugin-transform-vue-jsx: 1.1.2
@vue/babel-preset-app: ^4.1.1 => 4.5.4
@vue/babel-preset-jsx: 1.1.2
@vue/babel-sugar-functional-vue: 1.1.2
@vue/babel-sugar-inject-h: 1.1.2
@vue/babel-sugar-v-model: 1.1.2
@vue/babel-sugar-v-on: 1.1.2
@vue/cli-overlay: 4.5.6
@vue/cli-plugin-babel: ^4.1.1 => 4.5.4
@vue/cli-plugin-eslint: ^4.1.0 => 4.5.4
@vue/cli-plugin-router: 4.5.6
@vue/cli-plugin-typescript: ^4.1.1 => 4.5.4
@vue/cli-plugin-unit-mocha: ^4.1.1 => 4.5.4
@vue/cli-plugin-vuex: 4.5.6
@vue/cli-service: 4.5.6 => 4.5.6
@vue/cli-shared-utils: 4.5.4 (4.5.6)
@vue/component-compiler-utils: 3.2.0
@vue/composition-api: ^1.0.0-beta.3 => 1.0.0-beta.3
@vue/eslint-config-airbnb: ^4.0.0 => 4.0.1
@vue/eslint-config-typescript: ^4.0.0 => 4.0.0
@vue/preload-webpack-plugin: 1.1.2
@vue/test-utils: 1.0.0-beta.29 => 1.0.0-beta.29
@vue/web-component-wrapper: 1.2.0
ag-grid-vue: ^21.2.2 => 21.2.2
eslint-plugin-vue: ^6.1.2 => 6.1.2
typescript: ^3.4.2 => 3.5.3
vue: ^2.6.10 => 2.6.10 (2.6.11)
vue-class-component: ^6.3.2 => 6.3.2
vue-d2b: ^1.0.15 => 1.0.15
vue-directive-tooltip: ^1.6.3 => 1.6.3
vue-eslint-parser: 7.0.0
vue-hot-reload-api: 2.3.4
vue-i18n: ^8.10.0 => 8.12.0
vue-json-pretty: ^1.6.2 => 1.6.2
vue-loader: 15.9.3 (16.0.0-beta.8)
vue-moment: ^4.0.0 => 4.1.0
vue-property-decorator: ^7.3.0 => 7.3.0
vue-resize-directive: ^1.2.0 => 1.2.0
vue-router: ^3.0.3 => 3.0.7
vue-style-loader: 4.1.2
vue-template-compiler: ^2.6.10 => 2.6.10
vue-template-es2015-compiler: 1.9.1
vue2-ace-editor: 0.0.11 => 0.0.11
vue2-editor: ^2.10.2 => 2.10.2
vuex: ^3.1.0 => 3.1.1
vuex-class: ^0.3.2 => 0.3.2
npmGlobalPackages:
@vue/cli: Not Found
Steps to reproduce
Install latest version of @vue/cli-service and try to run yarn audit or npm audit and see that the following advisory is shown (in this case yarn):
β― yarn audit
yarn audit v1.22.5
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β high β Prototype Pollution in node-forge β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β node-forge β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >= 0.10.0 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β @vue/cli-service β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β @vue/cli-service > webpack-dev-server > selfsigned > β
β β node-forge β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://www.npmjs.com/advisories/1561 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1 vulnerabilities found - Packages audited: 1932
Severity: 1 High
Done in 3.27s.
What is expected?
Yarn audit or npm audit should return no vulnerabilities.
What is actually happening?
Yarn audit or npm audit should return one high vulnerability.
Since it is the latest version and the vulnerability is highlighted as high, it would need to be fixed (upgrading node-forge).
Related NPM advisory: https://www.npmjs.com/advisories/1561
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Prototype Pollution in node-forge - Snyk Vulnerability Database
Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
Read more >Vulnerability detected in node-forge - Stack Overflow
I've run npm audit fix. node-forge is only in my package-lock.json file and is required by "selfsigned" dependency. node ...
Read more >@vue/cli-service | npm | Open Source Insights
In the dependencies ... Prototype Pollution in node-forge debug API. ... URL parsing in node-forge could lead to undesired behavior. LOWΒ·GHSA-gf8q- ...
Read more >Prototype Pollution in node-forge - Vulners
Description. The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function.
Read more >Fix security vulnerabilities in your dependencies - YouTube
Learn how to resolve potential security vulnerabilities in your web application that are inherited from unsafe npm dependencies.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
keep it open fir reference, other people might come here with the same question
also, looking at the Report, it seems that the effect it features are utility functions that are not used by the features that note for itself provides. So unless weβre packed deaths over does make use of these utilities and does so in an unsafe way, which is very unlikely, this is not really a serious vulnerability in our context.