High and moderate security vulnerabilities in latest version 1.3.3
cavla opened this issue · comments
I am running the latest version 1.3.3 and npm audit is showing some vulnerabilities:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Server-Side Request Forgery │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.21.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-status-monitor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-status-monitor > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1594 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Insecure Default Configuration │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.4.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-status-monitor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-status-monitor > socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1609 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Yes express-status-monitor needs update
There have been no updates in the past 10 months... Is this package even active? If so, this issue needs to be handled. @RafalWilinski
7 vulnerabilities (1 moderate, 5 high, 1 critical)
# npm audit report
axios <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/axios
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
socket.io <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Severity: high
Insecure Default Configuration - https://npmjs.com/advisories/1609
Depends on vulnerable versions of socket.io-client
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/socket.io
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
ws 5.0.0 - 5.2.2 || 6.0.0 - 6.2.1 || 7.0.0 - 7.4.5
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1748
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/engine.io-client/node_modules/ws
engine.io-client 0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
Depends on vulnerable versions of ws
Depends on vulnerable versions of xmlhttprequest-ssl
node_modules/engine.io-client
socket.io-client 1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
Depends on vulnerable versions of engine.io-client
node_modules/socket.io-client
socket.io <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Depends on vulnerable versions of socket.io-client
node_modules/socket.io
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
xmlhttprequest-ssl <=1.6.1
Severity: critical
Arbitrary Code Injection - https://npmjs.com/advisories/1665
Improper Verification of Cryptographic Signature - https://npmjs.com/advisories/1746
fix available via `npm audit fix --force`
Will install express-status-monitor@1.2.3, which is a breaking change
node_modules/xmlhttprequest-ssl
engine.io-client 0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
Depends on vulnerable versions of ws
Depends on vulnerable versions of xmlhttprequest-ssl
node_modules/engine.io-client
socket.io-client 1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
Depends on vulnerable versions of engine.io-client
node_modules/socket.io-client
socket.io <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Depends on vulnerable versions of socket.io-client
node_modules/socket.io
express-status-monitor <=0.1.9 || >=1.2.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of socket.io
node_modules/express-status-monitor
7 vulnerabilities (1 moderate, 5 high, 1 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
I guess he abandoned it, sad.
Mostly closed in the 1.3.4 release (be7b8fc).
Nevertheless, there is 1 outstanding security vulnerability, GHSA-j4f2-536g-r55m.
express-status-monitor@1.3.4
> socket.io@2.4.1
> engine.io@3.5.0
This has been committed as 1a38ae5 (or PR #188), upgraded socket.io@2.4.1
to socket.io@4.4.1
, but yet to have a release.