Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade downstream dependencies to fix decode-uri-component CVE-2022-38900 GHSA-w573-4hg7-7wgq #46026

Closed
c3ivodujmovic opened this issue Dec 31, 2022 · 6 comments
Closed

upgrade downstream dependencies to fix decode-uri-component CVE-2022-38900 GHSA-w573-4hg7-7wgq #46026

c3ivodujmovic opened this issue Dec 31, 2022 · 6 comments
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.

Comments

@c3ivodujmovic
Copy link

Version

14.21.2

Platform

Linux 19b7e582104e 5.19.0-26-generic #27-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 23 20:44:15 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Node v14 includes npm v6, which in turn includes query-string <7.1.3 which includes the fixed decode-uri-component@0.2.1 for GHSA-w573-4hg7-7wgq GHSA-w573-4hg7-7wgq

Details
npm@6.14.17 node-v14.21.2-linux-x64/lib/node_modules/npm
└─┬ query-string@6.8.2
└── decode-uri-component@0.2.0
PoC
See base vulnerability GHSA-w573-4hg7-7wgq GHSA-w573-4hg7-7wgq

Impact
https://nvd.nist.gov/vuln/detail/CVE-2022-38900
GHSA-w573-4hg7-7wgq

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

No response

What do you see instead?

https://nvd.nist.gov/vuln/detail/CVE-2022-38900
GHSA-w573-4hg7-7wgq

Additional information

https://github.com/npm/cli/security/advisories/GHSA-5698-6q73-gp8h

Asked npm to fix v6: npm/cli#6010
@bnoordhuis bnoordhuis added the npm Issues and PRs related to the npm client dependency or the npm registry. label Dec 31, 2022
@bnoordhuis
Copy link
Member

Thanks for the report but no action is required on our part. The arrangement is that npm submits updates to us.

@bnoordhuis bnoordhuis closed this as not planned Won't fix, can't repro, duplicate, stale Dec 31, 2022
@c3ivodujmovic
Copy link
Author

@bnoordhuis Hi Ben, It would seem to me that Node picked up the responsibility when Node decided to distribute with npm: specifically to assure that the code Node distributed does not contain vulnerabilities.

As is Node installation is spreading vulnerable code.

Since Node is distributing npm, Node needs to chase npm to fix the issues. Alternatively, Node should include a version of npm that does not have the vulnerabilities.

@bnoordhuis
Copy link
Member

You're of course entitled to your opinions, just don't expect me or anyone else to agree with them.

sindresorhus/query-string#345 (comment) quite accurately summarizes the severity of this issue1 and npm probably (and IMO rightly) dismissed it as such.

1 tl;dr someone thought it was an awesome idea to bulk-file "foo is not a function" bugs as security vulnerabilities. Guess that's one way to build up a CVE count when you're an aspiring security researcher.

@c3lisalowery
Copy link

@ry + @Trott - Do you agree with @bnoordhuis that this CVE won't be fixed? We owe a customer a mitigation statement for this CVE so I want to make sure I'm accurately capturing reality.

@bnoordhuis
Copy link
Member

The npm upgrade in #45936 contains a newer version of that dep.

@lukekarrys
Copy link
Member

To reiterate the previous comment from @bnoordhuis, npm@6.14.18 contains decode-uri-component@0.2.2 which does not contain the vulnerability. And the PR linked (#45936) is being worked on by the release team to land npm@6.14.18 in the next release of node@14.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bnoordhuis @lukekarrys @c3ivodujmovic @c3lisalowery