High and moderate security vulnerabilities in latest version 1.3.3

Question

High and moderate security vulnerabilities in latest version 1.3.3

cavla opened this issue 3 years ago · comments

I am running the latest version 1.3.3 and npm audit is showing some vulnerabilities:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Server-Side Request Forgery │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.21.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-status-monitor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-status-monitor > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1594 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Insecure Default Configuration │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.4.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-status-monitor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-status-monitor > socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1609 │
└───────────────┴──────────────────────────────────────────────────────────────┘

RutsuKun · Answer 1 · Thu Mar 11 2021 02:29:24 GMT+0800 (China Standard Time)

Yes express-status-monitor needs update

Karan Gaur · Answer 2 · Thu Apr 01 2021 00:56:32 GMT+0800 (China Standard Time)

There have been no updates in the past 10 months... Is this package even active? If so, this issue needs to be handled. @RafalWilinski

benmneb · Answer 3 · Sun Aug 08 2021 18:37:48 GMT+0800 (China Standard Time)

7 vulnerabilities (1 moderate, 5 high, 1 critical)

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/axios
  express-status-monitor  <=0.1.9 || >=1.2.5
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of socket.io
  node_modules/express-status-monitor

socket.io  <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Severity: high
Insecure Default Configuration - https://npmjs.com/advisories/1609
Depends on vulnerable versions of socket.io-client
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/socket.io
  express-status-monitor  <=0.1.9 || >=1.2.5
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of socket.io
  node_modules/express-status-monitor

ws  5.0.0 - 5.2.2 || 6.0.0 - 6.2.1 || 7.0.0 - 7.4.5
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1748
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/engine.io-client/node_modules/ws
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of engine.io-client
    node_modules/socket.io-client
      socket.io  <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
      Depends on vulnerable versions of socket.io-client
      node_modules/socket.io
        express-status-monitor  <=0.1.9 || >=1.2.5
        Depends on vulnerable versions of axios
        Depends on vulnerable versions of socket.io
        node_modules/express-status-monitor

xmlhttprequest-ssl  <=1.6.1
Severity: critical
Arbitrary Code Injection - https://npmjs.com/advisories/1665
Improper Verification of Cryptographic Signature - https://npmjs.com/advisories/1746
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/xmlhttprequest-ssl
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of engine.io-client
    node_modules/socket.io-client
      socket.io  <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
      Depends on vulnerable versions of socket.io-client
      node_modules/socket.io
        express-status-monitor  <=0.1.9 || >=1.2.5
        Depends on vulnerable versions of axios
        Depends on vulnerable versions of socket.io
        node_modules/express-status-monitor

7 vulnerabilities (1 moderate, 5 high, 1 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

Kevin · Answer 4 · Wed Sep 15 2021 13:50:13 GMT+0800 (China Standard Time)

I guess he abandoned it, sad.

Lam Wei Li · Answer 5 · Tue May 03 2022 01:43:12 GMT+0800 (China Standard Time)

Mostly closed in the 1.3.4 release (be7b8fc).

Nevertheless, there is 1 outstanding security vulnerability, GHSA-j4f2-536g-r55m.
express-status-monitor@1.3.4 > socket.io@2.4.1 > engine.io@3.5.0

This has been committed as 1a38ae5 (or PR #188), upgraded socket.io@2.4.1 to socket.io@4.4.1, but yet to have a release.