Vue-cli: Vulnerability in "node-forge" transitive dependency of "webpack-dev-server" in "@vue/cli-service": Prototype Pollution
Version
4.5.6
Environment info
Environment Info:
System:
OS: Windows 10 10.0.19041
CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Binaries:
Node: 12.18.3 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm: 6.14.8 - C:\Program Files\nodejs\npm.CMD
Browsers:
Chrome: 85.0.4183.121
Edge: Spartan (44.19041.423.0), Chromium (85.0.564.63), ChromiumDev (87.0.654.0)
npmPackages:
@ant-design-vue/babel-helper-vue-transform-on: 1.0.1
@types/vue2-editor: ^2.6.0 => 2.6.0
@vue/babel-helper-vue-jsx-merge-props: 1.0.0
@vue/babel-plugin-transform-vue-jsx: 1.1.2
@vue/babel-preset-app: ^4.1.1 => 4.5.4
@vue/babel-preset-jsx: 1.1.2
@vue/babel-sugar-functional-vue: 1.1.2
@vue/babel-sugar-inject-h: 1.1.2
@vue/babel-sugar-v-model: 1.1.2
@vue/babel-sugar-v-on: 1.1.2
@vue/cli-overlay: 4.5.6
@vue/cli-plugin-babel: ^4.1.1 => 4.5.4
@vue/cli-plugin-eslint: ^4.1.0 => 4.5.4
@vue/cli-plugin-router: 4.5.6
@vue/cli-plugin-typescript: ^4.1.1 => 4.5.4
@vue/cli-plugin-unit-mocha: ^4.1.1 => 4.5.4
@vue/cli-plugin-vuex: 4.5.6
@vue/cli-service: 4.5.6 => 4.5.6
@vue/cli-shared-utils: 4.5.4 (4.5.6)
@vue/component-compiler-utils: 3.2.0
@vue/composition-api: ^1.0.0-beta.3 => 1.0.0-beta.3
@vue/eslint-config-airbnb: ^4.0.0 => 4.0.1
@vue/eslint-config-typescript: ^4.0.0 => 4.0.0
@vue/preload-webpack-plugin: 1.1.2
@vue/test-utils: 1.0.0-beta.29 => 1.0.0-beta.29
@vue/web-component-wrapper: 1.2.0
ag-grid-vue: ^21.2.2 => 21.2.2
eslint-plugin-vue: ^6.1.2 => 6.1.2
typescript: ^3.4.2 => 3.5.3
vue: ^2.6.10 => 2.6.10 (2.6.11)
vue-class-component: ^6.3.2 => 6.3.2
vue-d2b: ^1.0.15 => 1.0.15
vue-directive-tooltip: ^1.6.3 => 1.6.3
vue-eslint-parser: 7.0.0
vue-hot-reload-api: 2.3.4
vue-i18n: ^8.10.0 => 8.12.0
vue-json-pretty: ^1.6.2 => 1.6.2
vue-loader: 15.9.3 (16.0.0-beta.8)
vue-moment: ^4.0.0 => 4.1.0
vue-property-decorator: ^7.3.0 => 7.3.0
vue-resize-directive: ^1.2.0 => 1.2.0
vue-router: ^3.0.3 => 3.0.7
vue-style-loader: 4.1.2
vue-template-compiler: ^2.6.10 => 2.6.10
vue-template-es2015-compiler: 1.9.1
vue2-ace-editor: 0.0.11 => 0.0.11
vue2-editor: ^2.10.2 => 2.10.2
vuex: ^3.1.0 => 3.1.1
vuex-class: ^0.3.2 => 0.3.2
npmGlobalPackages:
@vue/cli: Not Found
Steps to reproduce
Install latest version of @vue/cli-service and try to run yarn audit or npm audit and see that the following advisory is shown (in this case yarn):
โฏ yarn audit
yarn audit v1.22.5
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ high โ Prototype Pollution in node-forge โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ node-forge โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >= 0.10.0 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ @vue/cli-service โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ @vue/cli-service > webpack-dev-server > selfsigned > โ
โ โ node-forge โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://www.npmjs.com/advisories/1561 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1 vulnerabilities found - Packages audited: 1932
Severity: 1 High
Done in 3.27s.
What is expected?
Yarn audit or npm audit should return no vulnerabilities.
What is actually happening?
Yarn audit or npm audit should return one high vulnerability.
Since it is the latest version and the vulnerability is highlighted as high, it would need to be fixed (upgrading node-forge).
Related NPM advisory: https://www.npmjs.com/advisories/1561
piraces
All 7 comments
as shown in the vulnerablity report you pasted, this is s transitive dependency of webpack-dev-server. we can't upgrade it on our end.
LinusBorg
on 1 Oct 2020
also, looking at the Report, it seems that the effect it features are utility functions that are not used by the features that note for itself provides. So unless we're packed deaths over does make use of these utilities and does so in an unsafe way, which is very unlikely, this is not really a serious vulnerability in our context.
LinusBorg
on 1 Oct 2020
Thanks for the clarification @LinusBorg ! I have changed the title of the issue reflecting that is a transitive dependency.
Knowing that it does not have impact in vue-cli is good. Nevertheless, I think vue-cli should upgrade webpack-dev-server when resolved in their side.
Related PRs in webpack-dev-server:
https://github.com/webpack/webpack-dev-server/pull/2752
https://github.com/webpack/webpack-dev-server/pull/2740
Related Issues in webpack-dev-server:
https://github.com/webpack/webpack-dev-server/issues/2755
piraces
on 1 Oct 2020
since that will result in a patch release of webpack-dev-server, newly created projects will get that new version as soon as its out.
Existing projects need to explicitly upgrade themselves, i.e. by deleting the lockfile and running the package install again (npm i / yarn)
LinusBorg
on 1 Oct 2020
That is correct. Should I close this issue or keep it open until webpack-dev-server patches it for reference?
piraces
on 1 Oct 2020
keep it open fir reference, other people might come here with the same question
LinusBorg
on 1 Oct 2020
Closing due to https://github.com/webpack/webpack-dev-server/issues/2755 . If you upgrade your transitive dependencies in yarn.lock or package-lock.json of webpack-dev-server exactly the dependency for selfsigned, then node-forge gets updated and the vulnerability gets resolved.
piraces
on 5 Oct 2020
Related issues
NathanKleekamp
ยท
3Comments
PrimozRome
ยท
3Comments
Benzenes
ยท
3Comments
OmgImAlexis
ยท
3Comments
CodeApePro
ยท
3Comments