apollo-server-vercel
apollo-server-vercel copied to clipboard
CVE-2022-24434 Vulnerability in dependency of apollo-server-core
@apollo-server-vercel depends on @apollographql/apollo-server-core 2.25.4 which depends on @apollographql/graphql-upload-8-fork, which depends on busboy <=0.3.1, which depends on a version of dicer which is vulnerable to a Denial of Service attack and has been assigned https://github.com/advisories/GHSA-wm7h-9275-46v2. The busboy maintainer has released a new busboy version 1.0.0 which removes the vulnerable dependency alltogether: https://github.com/mscdex/busboy/issues/266. Unfortunately, @apollographql/graphql-upload-8-fork still depends on vulnerable busboy 0.3.1.
It looks as if this won't be fixed in @apollographql/graphql-upload-8-fork
? See https://github.com/apollographql/apollo-server/issues/6485
yarn audit v1.22.18
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Crash in HeaderParser in dicer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dicer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @saeris/apollo-server-vercel │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @saeris/apollo-server-vercel > apollo-server-core > │
│ │ @apollographql/graphql-upload-8-fork > busboy > dicer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1070404 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1262
Severity: 1 High