Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump express to 4.16.2 to address forwarded vulnerability #1198

Closed
3 tasks
tancnle opened this issue Nov 23, 2017 · 3 comments
Closed
3 tasks

Bump express to 4.16.2 to address forwarded vulnerability #1198

tancnle opened this issue Nov 23, 2017 · 3 comments
Assignees
@shellscape
Labels
severity: 1 (security) type: ci

Comments

@tancnle
Copy link

tancnle commented Nov 23, 2017
edited

  • Operating System: MacOS 10.13.1
  • Node Version: 8.9.1
  • NPM Version: 5.5.1
  • webpack Version:
  • webpack-dev-server Version: 2.9.4
  • This is a bug
  • This is a feature request
  • This is a modification request

Our most recent sourceclear scan (https://www.sourceclear.com/) has revealed a vulnerability in forwarded library which can cause regular expression denial of service (ReDoS). A flaw when the x-forwarded-for header is parsed causes the event loop to be blocked. To mitigate this, we need to bump forwarded to 0.1.2.

Dependency tree for express, before:

webpack-dev-server@2.9.4
└─┬ express@4.15.4
  └─┬ proxy-addr@1.1.5
    └── forwarded@0.1.1

after:

webpack-dev-server@2.9.4
└─┬ express@4.16.2
  └─┬ proxy-addr@2.0.2
    └── forwarded@0.1.2
@tancnle tancnle mentioned this issue Nov 23, 2017
Closed
@shellscape
Copy link
Contributor

@tancnle thanks for checking in. I'd recommend you check out nsp versus sourceclear. NSP is picking up 11 similar vulnerabilities. however, it's important to note that webpack-dev-server is only meant to be run locally, and temporarily for the purpose of debugging. unless you're planning on attacking your own machine, you're not in much danger from the current list.

@tancnle
Copy link
Author

tancnle commented Nov 23, 2017

@shellscape Fair point. With that in mind, this is more of less of dependency bumps to keep things up-to-dated. I guess we can close it in favour of larger update later on.

@tancnle tancnle closed this as completed Nov 23, 2017
@shellscape shellscape reopened this Nov 23, 2017
@shellscape
Copy link
Contributor

I'm actually going to reopen this so we can track it in a change to come, and make sure you get credit for the original report in the commit 🍻

This was referenced Mar 19, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shellscape shellscape

Labels
severity: 1 (security) type: ci
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dependency webpack-dev-server to v2.11.2 - autoclosed js-migrations/core
3 participants
@shellscape @tancnle @alexander-akait