firebase-admin-node icon indicating copy to clipboard operation
firebase-admin-node copied to clipboard

Published 20 hours ago verified publisher icon firebase

Vulnerability in jose subdependency

Open m-wagner98 opened this issue 1 year ago • 3 comments

Environment:

  • Operating System version: _____
  • Firebase SDK version: 12.0.0
  • Firebase Product:Top-level idk (auth, database, storage, etc)
  • Node.js version: n/a
  • NPM version: n/a

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

  1. Create a npm project and install the firebase-admin package.
  2. Perform an security analysis of the dependencies using OWASP dependency-check plugin
  3. The analysis fails due to a known vulnerability in the jose package.
  4. With npm ls jose we can find out where the dependency comes from:

@computer% npm ls jose @app/[email protected] /Users/wagnem46/dev/notificationmanager-v2 └─┬ [email protected] └─┬ [email protected] └── [email protected]

Vulnerability: https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q https://nvd.nist.gov/vuln/detail/CVE-2024-28176

m-wagner98 avatar Mar 14 '24 13:03 m-wagner98

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

google-oss-bot avatar Mar 14 '24 13:03 google-oss-bot

Thanks for filing this issue. Since the vulnerability is in a dependency of jwks-rsa the fix should be addressed in that package. It also doesn't look like jwks-rsa pins to a specific version of jose so you might be able to upgrade jose to v4.15.5 (which includes the fix) in your environment. See https://github.com/auth0/node-jwks-rsa/issues/403

lahirumaramba avatar Mar 14 '24 15:03 lahirumaramba

Okay we will upgrade on our environment.

m-wagner98 avatar Mar 14 '24 15:03 m-wagner98