New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hotfix: Prevent SSRF #3410
Hotfix: Prevent SSRF #3410
Conversation
Is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@timemachine3030 Shared some suggestions with you. Thanks for your quick fixing.
@timemachine3030 Can you say if this only affected 0.21.0 or prior versions as well? |
@ArSn Versions since 0.19.0, when proxy forwarding was added. The vulnerability is exclusive to Node.js applications making requests through proxy servers. |
Yeah I caught that, thanks! |
Sorry if this is not the right place to ask, but when is the fixed code going to be packaged and published on the NPM repo, so we can actually make use of it? When is the next npm version supposed to come out? |
Any update on when |
@jasonsaayman When will 0.21.1 tag be released ?Thanks |
@twistedpair, @kobe0730 I have asked Emily to get to this release so it is with her now, I will ask her if she will get to it this week and revert back. Thanks for your patience. |
|
@jasonsaayman @emilyemorehouse Sorry to ping but any updates on when we can expect v0.21.1 will be released? Given the CVSS score on this I'm about to breach security SLOs (and judging by the interest from others I am not the only one). Thanks! |
Hello, same issue with my company - could we please release soon ? It will be a nice christmas gift 🙏 |
``` npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see axios/axios#3410 npm WARN deprecated @zeit/ncc@0.22.3: @zeit/ncc is no longer maintained. Please use @vercel/ncc instead. added 202 packages, and audited 203 packages in 3s 25 packages are looking for funding run `npm fund` for details 8 vulnerabilities (1 moderate, 6 high, 1 critical) To address all issues, run: npm audit fix Run `npm audit` for details. ```
``` yarn import v1.22.19 info found npm package-lock.json, converting to yarn.lock warning @zeit/ncc@0.22.3: @zeit/ncc is no longer maintained. Please use @vercel/ncc instead. warning eslint > debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) warning @slack/webhook > axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see axios/axios#3410 success Saved lockfile. ✨ Done in 4.28s. ```
Fixes vulnerability described in:
Uses a hook in
follow-redirects
to continue using the proxy if a redirect is encountered.