Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@prisma/engine-core uses vulnerable undici 5.1.1 package #14000

Closed
valerii15298 opened this issue Jun 24, 2022 · 4 comments
Closed

@prisma/engine-core uses vulnerable undici 5.1.1 package #14000

valerii15298 opened this issue Jun 24, 2022 · 4 comments
Labels
kind/bug A reported bug.
Milestone
4.0.0

Comments

@valerii15298
Copy link

Bug description

@prisma/engine-core uses vulnerable undici 5.1.1 package. I believe prisma is modern and secure ORM, so there shoud be no security vulnerabilities.

How to reproduce

Install @prisma/sdk

pnpm add @prisma/sdk

Run pnpm audit

pnpm audit

┌─────────────────────┬───────────────────────────────────────────────────┐
│ high                │ ProxyAgent vulnerable to MITM                     │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package             │ undici                                            │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.8.2 <=5.5.0                                   │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions    │ >=5.5.1                                           │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-pgw7-wx7w-2w33 │
└─────────────────────┴───────────────────────────────────────────────────┘

Expected behavior

Ther should be no security vulnerabilities!!!

Prisma information

@prisma/sdk 3.15.2

Environment & setup

Does not matter

Prisma Version

3.15.2
@valerii15298 valerii15298 added the kind/bug A reported bug. label Jun 24, 2022
@janpio janpio added this to the 4.0.0 milestone Jun 24, 2022
@janpio
Copy link
Member

janpio commented Jun 24, 2022

This has already been fixed for the next version which will be release next Tuesday: #13862

@janpio janpio closed this as completed Jun 24, 2022
@shellscape
Copy link

@janpio y'all got bit by another one in undici:

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Regular Expression Denial of Service in                │
│                     │ Headers                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <5.19.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.19.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ typegraphql-prisma@0.24.3 >         │
│                     │ @prisma/internals@4.11.0 > @prisma/engine-core@4.11.0  │
│                     │ > undici@5.16.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r6ch-mqf9-qc9w      │
└─────────────────────┴────────────────────────────────────────────────────────┘

@janpio
Copy link
Member

janpio commented Mar 21, 2023

Fortunately again not exploitable in our context, as we define the headers to be used.
But again already a PR open that will be merged with more interest now I guess: #17803

@janpio
Copy link
Member

janpio commented Mar 22, 2023

And merged @shellscape, will be part of next week's release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A reported bug.
Projects
None yet
Milestone
4.0.0
Development

No branches or pull requests
3 participants
@shellscape @janpio @valerii15298