Skip to content

High Security Vulnerability (Denial of Service) issue 1486 in http-proxy #5489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
itsalaidbacklife opened this issue May 15, 2020 · 7 comments
Closed

High Security Vulnerability (Denial of Service) issue 1486 in http-proxy #5489

itsalaidbacklife opened this issue May 15, 2020 · 7 comments
Labels
upstream

Comments

@itsalaidbacklife
Copy link

Version

4.3.1

Reproduction link

https://github.com/itsalaidbacklife/vue-http-proxy-vulnerability-1486

Environment info

System:
    OS: Windows 10 10.0.18363
    CPU: (4) x64 Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
  Binaries:
    Node: 12.16.1 - E:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.13.4 - E:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: 44.18362.449.0
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.0.0
    @vue/babel-plugin-transform-vue-jsx:  1.1.2
    @vue/babel-preset-app:  4.2.3
    @vue/babel-preset-jsx:  1.1.2
    @vue/babel-sugar-functional-vue:  1.1.2
    @vue/babel-sugar-inject-h:  1.1.2
    @vue/babel-sugar-v-model:  1.1.2
    @vue/babel-sugar-v-on:  1.1.2
    @vue/cli-overlay:  4.2.3
    @vue/cli-plugin-babel: ~4.2.0 => 4.2.3
    @vue/cli-plugin-e2e-cypress: ^4.3.1 => 4.3.1
    @vue/cli-plugin-eslint: ~4.2.0 => 4.2.3
    @vue/cli-plugin-router:  4.2.3
    @vue/cli-plugin-unit-jest: ^4.3.1 => 4.3.1
    @vue/cli-plugin-vuex:  4.2.3
    @vue/cli-service: ~4.2.0 => 4.2.3
    @vue/cli-shared-utils:  4.2.3 (4.3.1)
    @vue/component-compiler-utils:  3.1.1
    @vue/preload-webpack-plugin:  1.1.1
    @vue/test-utils: 1.0.0-beta.31 => 1.0.0-beta.31
    @vue/web-component-wrapper:  1.2.0
    eslint-plugin-vue: ^6.2.2 => 6.2.2
    jest-serializer-vue:  2.0.2
    vue: ^2.6.11 => 2.6.11
    vue-cli-plugin-vuetify: ~2.0.5 => 2.0.5
    vue-eslint-parser:  7.0.0
    vue-hot-reload-api:  2.3.4
    vue-jest:  3.0.5
    vue-loader:  15.9.0
    vue-router: ^3.1.6 => 3.1.6
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.6.11 => 2.6.11
    vue-template-es2015-compiler:  1.9.1
    vuetify: ^2.2.27 => 2.2.27
    vuetify-loader: ^1.3.0 => 1.4.3
    vuex: ^3.4.0 => 3.4.0
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

npm audit

What is expected?

Newly created projects will not have high-severity security vulnerabilities and will pass npm audit without issues.

What is actually happening?

npm audit reports 1 high-severity security vulnerability 1486

Issue is with Denial of service in
@vue/cli-service > webpack-dev-server > http-proxy-middleware > http-proxy

No patch is currently available. Npm recommends [Considering] "using an alternative package until a fix is made available."
@haoqunjiang
Copy link
Member

Tracked here: http-party/node-http-proxy#1446

Note: as it's only used for the local development server, it's not an actual security vulnerability on Vue CLI projects. Feel free to ignore it if @vue/cli-service is the only source of this dependency in your project.

@Riippi Riippi mentioned this issue May 18, 2020
Merged
@solidevolution
Copy link

We're also waiting for a fix, meanwhile we set http-proxy to our audit-ci whitelist

@haoqunjiang
Copy link
Member

The latest progress on the issue is tracked here: webpack/webpack-dev-server#2616

@sailfish009
Copy link

@sodatea there is fixed version for this([email protected]),
but when i install @vue/cli-service, it keep to install vulnerable old version, instead of fixed.


├─ [email protected]
│  ├─ http-proxy@^1.17.0
│  ├─ [email protected]

@haoqunjiang
Copy link
Member

haoqunjiang commented May 30, 2020
edited
Loading

@sailfish009
webpack-dev-server hasn't fixed this issue (see the link above). They've pinned the http-proxy-middleware version.

@mayankpw
Copy link

Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-plugin-babel [dev] Path @vue/cli-plugin-babel > @vue/cli-shared-utils > @hapi/joi > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-plugin-pwa [dev] Path @vue/cli-plugin-pwa > @vue/cli-shared-utils > @hapi/joi > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-plugin-typescript [dev] Path @vue/cli-plugin-typescript > @vue/cli-shared-utils > @hapi/joi > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @vue/cli-plugin-router > @vue/cli-shared-utils > @hapi/joi > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @vue/cli-shared-utils > @hapi/joi > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-plugin-babel [dev] Path @vue/cli-plugin-babel > @vue/cli-shared-utils > @hapi/joi > @hapi/topo > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-plugin-pwa [dev] Path @vue/cli-plugin-pwa > @vue/cli-shared-utils > @hapi/joi > @hapi/topo > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-plugin-typescript [dev] Path @vue/cli-plugin-typescript > @vue/cli-shared-utils > @hapi/joi > @hapi/topo > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @vue/cli-plugin-router > @vue/cli-shared-utils > @hapi/joi > @hapi/topo > @hapi/hoek More info https://npmjs.com/advisories/1468 Low Prototype Pollution Package @hapi/hoek Patched in >=8.5.1 <9.0.0 || >=9.0.3 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @vue/cli-shared-utils > @hapi/joi > @hapi/topo > @hapi/hoek More info https://npmjs.com/advisories/1468 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-plugin-babel [dev] Path @vue/cli-plugin-babel > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent More info https://npmjs.com/advisories/1751 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-plugin-pwa [dev] Path @vue/cli-plugin-pwa > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent More info https://npmjs.com/advisories/1751 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-plugin-typescript [dev] Path @vue/cli-plugin-typescript > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent More info https://npmjs.com/advisories/1751 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-service [dev] Path @vue/cli-service > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent More info https://npmjs.com/advisories/1751 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-plugin-typescript [dev] Path @vue/cli-plugin-typescript > globby > fast-glob > glob-parent More info https://npmjs.com/advisories/1751 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-service [dev] Path @vue/cli-service > globby > fast-glob > glob-parent More info https://npmjs.com/advisories/1751 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-service [dev] Path @vue/cli-service > copy-webpack-plugin > glob-parent More info https://npmjs.com/advisories/1751 Moderate Regular expression denial of service Package glob-parent Patched in >=5.1.2 Dependency of @vue/cli-service [dev] Path @vue/cli-service > webpack-dev-server > chokidar > glob-parent More info https://npmjs.com/advisories/1751 High Denial of Service Package css-what Patched in >=5.0.1 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @intervolga/optimize-cssnano-plugin > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what More info https://npmjs.com/advisories/1754 High Denial of Service Package css-what Patched in >=5.0.1 Dependency of @vue/cli-service [dev] Path @vue/cli-service > cssnano > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what More info https://npmjs.com/advisories/1754 High Denial of Service Package css-what Patched in >=5.0.1 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @intervolga/optimize-cssnano-plugin > cssnano-preset-default > postcss-svgo > svgo > css-select > css-what More info https://npmjs.com/advisories/1754 High Regular Expression Denial of Service Package normalize-url Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @intervolga/optimize-cssnano-plugin > cssnano > cssnano-preset-default > postcss-normalize-url > normalize-url More info https://npmjs.com/advisories/1755 High Regular Expression Denial of Service Package normalize-url Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 Dependency of @vue/cli-service [dev] Path @vue/cli-service > cssnano > cssnano-preset-default > postcss-normalize-url > normalize-url More info https://npmjs.com/advisories/1755 High Regular Expression Denial of Service Package normalize-url Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 Dependency of @vue/cli-service [dev] Path @vue/cli-service > @intervolga/optimize-cssnano-plugin > cssnano-preset-default > postcss-normalize-url > normalize-url More info https://npmjs.com/advisories/1755 High Regular Expression Denial of Service Package normalize-url Patched in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 Dependency of @vue/cli-service [dev] Path @vue/cli-service > mini-css-extract-plugin > normalize-url More info https://npmjs.com/advisories/1755 found 25 vulnerabilities (10 low, 8 moderate, 7 high) in 1435 scanned packages 25 vulnerabilities require manual review.

I am also facing the all my audit fix because of cli

@Lissy93 Lissy93 mentioned this issue Jun 26, 2021
Closed
@lil5
Copy link

lil5 commented Jun 27, 2021

@mayankpw Please start using "Fenced code blocks" It helps readability. 😉

Markdown coverts text with four leading spaces into a code block; with GFM you can
wrap your code with ``` to create a code block without the leading spaces. Add an
optional language identifier and your code will get syntax highlighting.

https://guides.github.com/pdfs/markdown-cheatsheet-online.pdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@haoqunjiang @itsalaidbacklife @solidevolution @sailfish009 @lil5 @mayankpw