Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] vulnerable npm dependencies #1550

Open
nodiscc opened this issue Apr 3, 2025 · 0 comments
Open

[security] vulnerable npm dependencies #1550

nodiscc opened this issue Apr 3, 2025 · 0 comments
Assignees
@CorentinTh
Labels
bug Something isn't working triage

Comments

@nodiscc
Copy link

nodiscc commented Apr 3, 2025

Describe the bug

Hi @CorentinTh

trivy security scanner reports vulnerable npm dependencies in this project, including 1 critical:

crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard

I am unsure if this directly affects the key generation features of it-tools.

Still, it would be great if you could update the project's dependencies and create a new release.

(the lack of "recent" commits also hampers the addition of it-tools to awesome-selfhosted)

What happened?

wget https://github.com/aquasecurity/trivy/releases/download/v0.59.0/trivy_0.59.0_Linux-64bit.tar.gz
tar -zxvf trivy_0.59.0_Linux-64bit.tar.gz
cd trivy_0.59.0_Linux-64bit/

$ ./trivy repo https://github.com/CorentinTh/it-tools
2025-04-03T22:10:49+02:00	INFO	[vulndb] Need to update DB
2025-04-03T22:10:49+02:00	INFO	[vulndb] Downloading vulnerability DB...
2025-04-03T22:10:49+02:00	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
61.92 MiB / 61.92 MiB [-------------------------------------------------] 100.00% 19.26 MiB p/s 3.4s
2025-04-03T22:10:53+02:00	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-04-03T22:10:53+02:00	INFO	[vuln] Vulnerability scanning is enabled
2025-04-03T22:10:53+02:00	INFO	[secret] Secret scanning is enabled
2025-04-03T22:10:53+02:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-03T22:10:53+02:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
Enumerating objects: 3357, done.
Counting objects: 100% (3357/3357), done.
Compressing objects: 100% (2238/2238), done.
Total 3357 (delta 1526), reused 2531 (delta 1046), pack-reused 0 (from 0)
2025-04-03T22:10:55+02:00	INFO	[pnpm] To collect the license information of packages, "pnpm install" needs to be performed beforehand	dir="node_modules"
2025-04-03T22:10:55+02:00	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-04-03T22:10:55+02:00	INFO	Number of language-specific files	num=1
2025-04-03T22:10:55+02:00	INFO	[pnpm] Detecting vulnerabilities...

pnpm-lock.yaml (pnpm)

Total: 19 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 6, CRITICAL: 1)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │      Fixed Version      │                            Title                             │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @babel/helpers        │ CVE-2025-27789 │ MEDIUM   │ fixed  │ 7.23.2            │ 7.26.10, 8.0.0-alpha.17 │ Babel is a compiler for writing next generation JavaScript.  │
│                       │                │          │        │                   │                         │ When using ......                                            │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2025-27789                   │
├───────────────────────┤                │          │        ├───────────────────┤                         │                                                              │
│ @babel/runtime        │                │          │        │ 7.22.10           │                         │                                                              │
│                       │                │          │        │                   │                         │                                                              │
│                       │                │          │        │                   │                         │                                                              │
│                       │                │          │        ├───────────────────┤                         │                                                              │
│                       │                │          │        │ 7.23.2            │                         │                                                              │
│                       │                │          │        │                   │                         │                                                              │
│                       │                │          │        │                   │                         │                                                              │
├───────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @intlify/core-base    │ CVE-2024-52809 │          │        │ 9.9.1             │ 9.14.2, 10.0.5          │ vue-i18n has cross-site scripting vulnerability with         │
│                       │                │          │        │                   │                         │ prototype pollution                                          │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-52809                   │
├───────────────────────┼────────────────┤          │        │                   │                         ├──────────────────────────────────────────────────────────────┤
│ @intlify/shared       │ CVE-2024-52810 │          │        │                   │                         │ @intlify/shared Prototype Pollution vulnerability            │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-52810                   │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ braces                │ CVE-2024-4068  │ HIGH     │        │ 3.0.2             │ 3.0.3                   │ braces: fails to limit the number of characters it can       │
│                       │                │          │        │                   │                         │ handle                                                       │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-4068                    │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ crypto-js             │ CVE-2023-46233 │ CRITICAL │        │ 4.1.1             │ 4.2.0                   │ crypto-js: PBKDF2 1,000 times weaker than specified in 1993  │
│                       │                │          │        │                   │                         │ and 1.3M times...                                            │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2023-46233                   │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ dompurify             │ CVE-2024-45801 │ HIGH     │        │ 3.0.6             │ 2.5.4, 3.1.3            │ dompurify: XSS vulnerability via prototype pollution         │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-45801                   │
│                       ├────────────────┤          │        │                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-47875 │          │        │                   │ 2.5.0, 3.1.3            │ dompurify: nesting-based mutation XSS vulnerability          │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-47875                   │
│                       ├────────────────┼──────────┤        │                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                       │ CVE-2025-26791 │ MEDIUM   │        │                   │ 3.2.4                   │ dompurify: Mutation XSS in DOMPurify Due to Improper         │
│                       │                │          │        │                   │                         │ Template Literal Handling                                    │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2025-26791                   │
├───────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ micromatch            │ CVE-2024-4067  │          │        │ 4.0.5             │ 4.0.8                   │ micromatch: vulnerable to Regular Expression Denial of       │
│                       │                │          │        │                   │                         │ Service                                                      │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-4067                    │
├───────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ nanoid                │ CVE-2024-55565 │          │        │ 3.3.6             │ 5.0.9, 3.3.8            │ nanoid: nanoid mishandles non-integer values                 │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-55565                   │
├───────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ postcss               │ CVE-2023-44270 │          │        │ 8.4.28            │ 8.4.31                  │ PostCSS: Improper input validation in PostCSS                │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2023-44270                   │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ semver                │ CVE-2022-25883 │ HIGH     │        │ 7.5.1             │ 7.5.2, 6.3.1, 5.7.2     │ nodejs-semver: Regular expression denial of service          │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2022-25883                   │
├───────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vue-i18n              │ CVE-2025-27597 │          │        │ 9.9.1             │ 9.14.3, 10.0.6, 11.1.2  │ Vue I18n Allows Prototype Pollution in `handleFlatJson`      │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2025-27597                   │
│                       ├────────────────┼──────────┤        │                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-52809 │ MEDIUM   │        │                   │ 9.14.2, 10.0.5          │ vue-i18n has cross-site scripting vulnerability with         │
│                       │                │          │        │                   │                         │ prototype pollution                                          │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-52809                   │
│                       ├────────────────┤          │        │                   │                         ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-52810 │          │        │                   │                         │ @intlify/shared Prototype Pollution vulnerability            │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-52810                   │
├───────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vue-template-compiler │ CVE-2024-6783  │          │        │ 2.7.14            │ 3.0.0                   │ vue-template-compiler vulnerable to client-side Cross-Site   │
│                       │                │          │        │                   │                         │ Scripting (XSS)                                              │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2024-6783                    │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ yaml                  │ CVE-2023-2251  │ HIGH     │        │ 2.2.1             │ 2.2.2                   │ Uncaught Exception in GitHub repository eemeli/yaml prior to │
│                       │                │          │        │                   │                         │ 2.0.0-5.                                                     │
│                       │                │          │        │                   │                         │ https://avd.aquasec.com/nvd/cve-2023-2251                    │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────┴──────────────────────────────────────────────────────────────┘

src/tools/jwt-parser/jwt-parser.vue (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)


### System information

Debian 12

### Where did you encounter the bug?

Other (installations, docker, etc.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CorentinTh CorentinTh

Labels
bug Something isn't working triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nodiscc @CorentinTh