Create-react-app: Vulnerable Dependency: macaddress

Created on 17 May 2018  路  7Comments  路  Source: facebook/create-react-app

Hi, apologies if this isn't the right place for this.

Using create-react-app and running npm audit (available as npm 6) returns a vulnerable dependency report with Critical tag:

=== npm audit security report ===

Package: macaddress
Dependency of: react-scripts
Path: react-scripts > css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress
More info: https://nodesecurity.io/advisories/654

picture leogonzalez
👍8

Most helpful comment

From the vulnerability description you linked to:

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

If you look at the code for uniqid you'll see this is not the case.

So there is no actual vulnerability you're being exposed to.

Feel free to send us a PR that bumps the package version when downstream packages stop using the vulnerable one but there is no issue that we need to address on our side.

picture gaearon on 18 May 2018
👍32 🎉1 😄1

All 7 comments

npm audit outputs:

Run  npm install --dev [email protected]  to resolve 1 vulnerability

But according to https://github.com/facebook/create-react-app/issues/3815 the newest version is 2.0.0-next.66cc7a90.

What version should I install?

barbalex picture barbalex on 18 May 2018

From the vulnerability description you linked to:

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

If you look at the code for uniqid you'll see this is not the case.

So there is no actual vulnerability you're being exposed to.

Feel free to send us a PR that bumps the package version when downstream packages stop using the vulnerable one but there is no issue that we need to address on our side.

gaearon picture gaearon on 18 May 2018
👍32 🎉1 😄1

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method
@gaearon can you explain what this means?

gabrielmoncea picture gabrielmoncea on 22 May 2018
👍1

It鈥檚 said here:

https://nodesecurity.io/advisories/654

For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

The macaddress package exports a method called one that takes a single argument. If that argument was supplied by an attacker they could trigger the vulnerability. However, in our case that argument is hardcoded in the uniq implementation I linked to above:

// ...
var mac = typeof __webpack_require__ !== 'function' ? require('macaddress').one(macHandler) : null ;
// ...
function macHandler(error){
  // ...
}

It鈥檚 not based on user input and can鈥檛 be controlled by an attacker. So there is no vulnerability in this case.

Does this explanation help?

gaearon picture gaearon on 22 May 2018
👍3

@gaearon you were really helpful !

gabrielmoncea picture gabrielmoncea on 22 May 2018

Hello, just commenting to report that I had the same issue and npm advised me to run
npm update postcss-filter-plugins --depth 4

Which did the trick.

minyc510 picture minyc510 on 23 May 2018

Stuff will break if you start updating internal packages without ejecting. You鈥檝e been warned :-)

Going to lock this thread because there鈥檚 no actionable thing here for us. I鈥檒l see if we can bump the dependency in 1.x branch. But again, there鈥檚 no real vulnerability here and you鈥檙e wasting effort trying to fix it.

gaearon picture gaearon on 23 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fson picture fson  路  3Comments
Aranir picture Aranir  路  3Comments
stopachka picture stopachka  路  3Comments
alleroux picture alleroux  路  3Comments
wereHamster picture wereHamster  路  3Comments