Browser-sync: RE DoS + Prototype pollution vulnerability
Issue details
NPM flagged a vulnerability regarding this package due to a Regular Expression Denial of Service found in its debug dependency as follows:
Low โ Regular Expression Denial of Service โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ debug โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >= 2.6.9 < 3.0.0 || >= 3.1.0 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ browser-sync [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ browser-sync > localtunnel > debug โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://nodesecurity.io/advisories/534
There's also an apparent Prototype Pollution in its lodash dependency as follows:
Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=4.17.5 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ browser-sync โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ browser-sync > easy-extender > lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://nodesecurity.io/advisories/577
Steps to reproduce/test case
# cd to a project that uses browser-sync as a dev dependency
npm audit #or nsp check
Please specify which version of Browsersync, node and npm you're running
- Browsersync [2.24.6]
- Node [10.7.0]
- Npm [6.2.0]
Affected platforms
- [x] linux
- [x] windows
- [x] OS X
- [ ] freebsd
- [ ] solaris
- [ ] other _(please specify which)_
Browsersync use-case
- [x] API
- [ ] Gulp
- [ ] Grunt
- [ ] CLI
If CLI, please paste the entire command below
{cli command here}
for all other use-cases, (gulp, grunt etc), please show us exactly how you're using Browsersync
if (app.get('browser') || process.env.BROWSER) {
require('browser-sync')({
proxy: `localhost:${port}`,
files: ['public/**/*.{js,css}']
});
}
Berkmann18
👍11
All 5 comments
I cannot address the localtunnel one https://github.com/localtunnel/localtunnel/issues/272
shakyShane
on 26 Aug 2018
@shakyShane How come? Aren't you the author and a contributor to that package including BrowserSync ?
Berkmann18
on 27 Aug 2018
FYI, localtunnel updated their dependencies with https://github.com/localtunnel/localtunnel/pull/256 and released to v1.9.1 to fix their end.
adamjaffeback
on 11 Sep 2018
👍2
@adamjaffeback Thanks for info.
Berkmann18
on 11 Sep 2018
@shakyShane Thanks for fixing this! I see the change is tagged with a 2.25.0 alpha release. When will the final version be released?
jt2k
on 4 Oct 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
sedubois
ยท
3Comments
codeofsumit
ยท
3Comments
tonyoconnell
ยท
3Comments
ericmorand
ยท
3Comments
npearson72
ยท
3Comments
Most helpful comment
FYI, localtunnel updated their dependencies with https://github.com/localtunnel/localtunnel/pull/256 and released to v1.9.1 to fix their end.