Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-24434 Vulnerability in dependency of apollo-server-core #6485

Closed
abaumg opened this issue May 27, 2022 · 2 comments
Closed

CVE-2022-24434 Vulnerability in dependency of apollo-server-core #6485

abaumg opened this issue May 27, 2022 · 2 comments

Comments

@abaumg
Copy link

abaumg commented May 27, 2022

@apollographql/apollo-server-core 2.25.4 depends on @apollographql/graphql-upload-8-fork, which depends on busboy <=0.3.1, which depends on a version of dicer which is vulnerable to a Denial of Service attack and has been assigned CVE-2022-24434. The busboy maintainer has released a new busboy version 1.0.0 which removes the vulnerable dependency alltogether: mscdex/busboy#266. Unfortunately, @apollographql/graphql-upload-8-fork still depends on vulnerable busboy 0.3.1.

➜  demo-project git:(main) ✗ npm audit --only=prod 
# npm audit report

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install apollo-server-express@3.8.1, which is a breaking change
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    @apollographql/graphql-upload-8-fork  *
    Depends on vulnerable versions of busboy
    node_modules/@apollographql/graphql-upload-8-fork
      apollo-server-core  2.21.0-alpha.0 - 2.25.4
      Depends on vulnerable versions of @apollographql/graphql-upload-8-fork
      node_modules/apollo-server-core
        apollo-server-express  2.0.1 || 2.21.0-alpha.0 - 2.25.4
        Depends on vulnerable versions of apollo-server-core
        node_modules/apollo-server-express

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
@glasser
Copy link
Member

glasser commented May 27, 2022

The upload feature of Apollo Server 2 is itself a security vulnerability unless counteracted with CSRF protection. In fact the latest version as of this week turns it off by default, which also protects you from this issue.

If you'd be happier not having the upload code (which I guess has two vulnerabilities!) in your project at all rather than just deactivated, upgrade to Apollo Server 3.

@glasser glasser closed this as completed May 27, 2022
@glasser
Copy link
Member

glasser commented May 27, 2022

(See GHSA-2p3c-p3qw-69r4 for details on why this feature is a security vulnerability; we have protections against this whole class of vulnerabilities in AS3.)

@eiiot eiiot mentioned this issue Jun 5, 2022
Closed
@glasser glasser mentioned this issue Jun 17, 2022
Closed
@lorand-horvath lorand-horvath mentioned this issue Jun 17, 2022
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@glasser @abaumg