Webpack-encore: [CVE-2021-28092] vulnerable version of "is-svg" in dependency chain

Created on 23 Mar 2021  路  15Comments  路  Source: symfony/webpack-encore

The dependency chain relies on is-svg 3.0.0. I am trying to unwind it, but can't figure out exactly which dependency needs to be updated. Here's the chain:

 @symfony/webpack-encore [1.1.2]
    |--> css-minimizer-webpack-plugin [^1.1.5]
        |--> cssnano [^4.1.10]
            |--> cssnano-preset-default [^4.0.7]
                |--> postcss-svgo [^4.0.2]
                    |--> is-svg [^3.0.0]   ***VULNERABLE***

CVE-2021-28092 requires is-svg to be updated to 4.2.2 or later.

picture arderyp

Most helpful comment

This is now resolved by the release of postcss-svgo 4.0.3, which removed the is-svg dependency entirely.

picture stof on 9 Apr 2021
🚀1 🎉1

All 15 comments

see: https://github.com/cssnano/cssnano/issues/1025

arderyp picture arderyp on 23 Mar 2021

Hi,

It looks like [email protected] is already up to date with cssnano-preset-default postcss-svgo and is-svg.

The dependency to fix here is https://github.com/webpack-contrib/css-minimizer-webpack-plugin/, there is already an issue (https://github.com/webpack-contrib/css-minimizer-webpack-plugin/issues/60) and a PR (https://github.com/webpack-contrib/css-minimizer-webpack-plugin/pull/63).

Kocal picture Kocal on 24 Mar 2021
👍1

thanks @Kocal !

arderyp picture arderyp on 24 Mar 2021

Thanks for checking into this @Kocal! There is nothing to do in Encore unless the eventual dependency fix in https://github.com/webpack-contrib/css-minimizer-webpack-plugin/ only happens in new major version of that library (Encore currently requires ^1.1.5.

weaverryan picture weaverryan on 26 Mar 2021

@weaverryan, so you think this will resolve this issue, when merged?

https://github.com/webpack-contrib/css-minimizer-webpack-plugin/pull/63

arderyp picture arderyp on 26 Mar 2021

Yes, that is my impression. Btw, if you read the underlying issue - https://nvd.nist.gov/vuln/detail/CVE-2021-28092 - I'm fairly sure there is no attack vector in Webpack and Encore anyways, which might be why things are moving slowly:

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

I can't think of a way for an attacker to supply any string, as all the input is controller by the developer.

weaverryan picture weaverryan on 30 Mar 2021
👍1

Yeah, I think you are right @weaverryan. I'm more approaching this as an anal person who doesn't like seeing vulnerability warnings in my git repos :laughing:

arderyp picture arderyp on 30 Mar 2021

Hi,

It looks like [email protected] is already up to date with cssnano-preset-default postcss-svgo and is-svg.

The dependency to fix here is https://github.com/webpack-contrib/css-minimizer-webpack-plugin/, there is already an issue (webpack-contrib/css-minimizer-webpack-plugin#60) and a PR (webpack-contrib/css-minimizer-webpack-plugin#63).

[email protected] isn't really ready if I refer to https://github.com/cssnano/cssnano/blob/5.0.0-rc2/packages/postcss-svgo/package.json#L33
[email protected] is the right patched version.

manooweb picture manooweb on 31 Mar 2021

Yes, that is my impression. Btw, if you read the underlying issue - https://nvd.nist.gov/vuln/detail/CVE-2021-28092 - I'm fairly sure there is no attack vector in Webpack and Encore anyways, which might be why things are moving slowly:

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

I can't think of a way for an attacker to supply any string, as all the input is controller by the developer.

I confirm by reading the [email protected] release comment https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2
There is no impact in a Webpack tool context.

manooweb picture manooweb on 31 Mar 2021

@manooweb a ^4.2.0 constraint still allows installing the patched is-svg version. The fact that the range does not forbid all vulnerable versions is not a blocker for avoiding the vulnerability in your own project.

stof picture stof on 31 Mar 2021

@manooweb a ^4.2.0 constraint still allows installing the patched is-svg version. The fact that the range does not forbid all vulnerable versions is not a blocker for avoiding the vulnerability in your own project.

Yes! you're right 馃槉 npm update is sufficient to udpate to the latest patched version and npm install will check this at the first install.
Here were blocked because we need an update to a major version from 3 to 4.

manooweb picture manooweb on 31 Mar 2021

Hello everyone, if I understand correctly for is-svg 4.2.2, because I am in is-svg 3.0.0, an "npm update is-svg" is sufficient? I'm on Symfony Encore. Or is it better to wait for the next updates? Have a good day

YannRaulet picture YannRaulet on 1 Apr 2021

@YannRaulet no, npm update is not sufficient yet, because we need css-minimizer-webpack-plugin to update to the new major version of cssnano (which is in rc for now). So npm won't find a way to resolve dependencies without using an affected version.

stof picture stof on 1 Apr 2021
👍1

@stof is correct, as far as I understand

arderyp picture arderyp on 1 Apr 2021

This is now resolved by the release of postcss-svgo 4.0.3, which removed the is-svg dependency entirely.

stof picture stof on 9 Apr 2021
🚀1 🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Growiel picture Growiel  路  3Comments
MatthD picture MatthD  路  4Comments
o-alquimista picture o-alquimista  路  3Comments
mstrom picture mstrom  路  3Comments
Kocal picture Kocal  路  3Comments