Browser-sync: Security issue in xmlhttprequest-ssl via a transitive dependency on engine.io-client
Issue details
High vulnerability with xmlhttprequest-ssl via a transitive dependency on engine.io-client
https://github.com/advisories/GHSA-h4j5-c7cj-74xg
Steps to reproduce/test case
https://github.com/advisories/GHSA-h4j5-c7cj-74xg
Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Please specify which version of Browsersync, node and npm you're running
- Browsersync [ ]
- Node [ ]
- Npm [ ]
Affected platforms
- [ x] linux
- [ x] windows
- [ x] OS X
- [ x] freebsd
- [ x] solaris
- [ ] other _(please specify which)_
Browsersync use-case
- [ ] API
- [ ] Gulp
- [ ] Grunt
- [ ] CLI
If CLI, please paste the entire command below
{cli command here}
for all other use-cases, (gulp, grunt etc), please show us exactly how you're using Browsersync
{Browsersync init code here}
obalunenko
All 4 comments
@shakyShane Could you please fix this issue?
obalunenko
on 5 May 2021
The dependency in question is socket.io. Latest version is 4.0.1 while browser-sync uses 2.4.0.
ffflorian
on 5 May 2021
running npm update engine.io-client --depth 4 from the command line resolved my issue with this
hiphopappotamus
on 5 May 2021
running
npm update engine.io-client --depth 4from the command line resolved my issue with this
This yielded a warning for me:
npm WARN update The --depth option no longer has any effect. See RFC0019.
npm WARN update https://github.com/npm/rfcs/blob/latest/implemented/0019-remove-update-depth-option.md
Leif-W
on 30 May 2021
Related issues
ronilaukkarinen
路
4Comments
Mil00Z
路
3Comments
sedubois
路
3Comments
jitendravyas
路
4Comments
ilianaza
路
4Comments
Most helpful comment
running
npm update engine.io-client --depth 4from the command line resolved my issue with this