Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23440 Prototype Pollution in set-value #7020

Closed
tmartinbankunited opened this issue Sep 16, 2021 · 6 comments
Closed

CVE-2021-23440 Prototype Pollution in set-value #7020

tmartinbankunited opened this issue Sep 16, 2021 · 6 comments
Assignees
@vsavkin
Labels
outdated scope: core core nx functionality type: bug

Comments

@tmartinbankunited
Copy link

GitHub Advisory CVE-2021-23440

Package: set-value (npm)
Affected versions: < 4.0.1
Patched versions: 4.0.1

Description
This affects the package set-value before 4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

References
https://nvd.nist.gov/vuln/detail/CVE-2021-23440
jonschlinkert/set-value#33
jonschlinkert/set-value@7cf8073
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212
https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541
https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
@schmkr
Copy link

schmkr commented Sep 24, 2021
edited

Nx itself does not depend directly on this package, it is a transitive dependency:

$ npm ls set-value
.
└─┬ @nrwl/node@12.9.0
  └─┬ ts-loader@5.4.5
    └─┬ micromatch@3.1.10
      └─┬ snapdragon@0.8.2
        └─┬ base@0.11.2
          └─┬ cache-base@1.0.1
            ├── set-value@2.0.1
            └─┬ union-value@1.0.1
              └── set-value@2.0.1 deduped

I suspect, ts-loader is kept on an older version for a reason? I checked and there is already a version 9.2.5 (major version 9 requires webpack 5 at minimum). In version 6 of the ts-loader, they updated to version 4 of micromatch, which with v4 got rid of snapdragon along with a bunch of other dependencies:

dependencies diff for package.json of micromatch v3.10.0 - v4.0.1

@shihabuddin
Copy link
Contributor

There is also a ts-loader v5.4.6, which also upgraded micromatch to 4.0.0. TypeStrong/ts-loader#928. You can consider using that too.

@fourlincoln10
Copy link

I don't see v5.4.6. The next version is 6.0.0? I could manually upgrade to that but since it's a major version change I'm concerned about affecting NX.

https://www.npmjs.com/package/ts-loader

@vsavkin vsavkin added the scope: core core nx functionality label Sep 30, 2021
@vsavkin vsavkin self-assigned this Sep 30, 2021
@schmkr
Copy link

schmkr commented Oct 29, 2021

I just created a new workspace with version 13 and with that, the @nrwl/node package now has ts-loader at version 9.2.6, which does not rely on set-value anymore. That seems to resolve the issue, not sure what is Nrwl's policy regarding updating this for a previous major version?

@AgentEnder
Copy link
Member

I'm going to close this out since it is fixed in v13, and @nrwl/node is not used at runtime (only dev time). If the package was used after the app was built, or the vulnerability could affect the built app than it may be worth backporting the update, but in this case I don't think thats the case.

@github-actions
Copy link

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@vsavkin vsavkin

Labels
outdated scope: core core nx functionality type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vsavkin @schmkr @fourlincoln10 @shihabuddin @AgentEnder @tmartinbankunited