Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DoS vulnerability from [email protected] #1095

Closed
mrded opened this issue May 20, 2022 · 15 comments
Closed

DoS vulnerability from [email protected] #1095

mrded opened this issue May 20, 2022 · 15 comments
Labels

Comments

@mrded
Copy link

mrded commented May 20, 2022

Hello,

Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:

Issues with no direct upgrade or patch:
  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
  No upgrade or patch available

Updating busboy@^1.0.0 drops the dependency on dicer (where the vuln comes from).

Thanks

@mrded
Copy link
Author

mrded commented May 20, 2022

#1096

@mrded
Copy link
Author

mrded commented May 23, 2022

Better solution: #1097

@krsubbar
Copy link

@mrded Thanks for raising this PR 1097. Request the team to merge this soon. As github is also reporting a high vulnerability which will get fixed with this busboy version upgrade. GHSA-wm7h-9275-46v2

@roneyantony
Copy link

High Crash in HeaderParser in dicer

Package dicer

Patched in No patch available

Dependency of multer

Path multer > busboy > dicer

@victorKariuki
Copy link

We need that fix, i don't like Severity: high, a warning is fine not red notifications.

@1yzz
Copy link

1yzz commented Jun 15, 2022

I need this

@LinusU
Copy link
Member

LinusU commented Jun 15, 2022

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

@victorKariuki
Copy link

victorKariuki commented Jun 15, 2022 via email

@123NeNaD
Copy link

What versions of Node are compatible?

@LinusU
Copy link
Member

LinusU commented Jun 16, 2022

What versions of Node are compatible?

v10.16.0 or newer

@victorKariuki
Copy link

victorKariuki commented Jun 21, 2022 via email

@ashish1497
Copy link

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

Has this been done or we should do npm i [email protected]?

@bryanph
Copy link

bryanph commented Jul 6, 2022

@LinusU perhaps a good reason to release it as 2.0 to indicate a breaking change (removing support for older node versions)?

@ZhaoKunLong
Copy link

Is any way to resolve this issue?

@LinusU
Copy link
Member

LinusU commented Oct 30, 2022

@bryanph there is already another 2.0 release line with multiple releases

@ZhaoKunLong @ashish1497 yes, npm i [email protected] should fix this 👍

@LinusU LinusU closed this as completed Oct 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests