amplify-js
amplify-js copied to clipboard
aws-amplify
[email protected] has high sev security alert arising from node-ip CVE-2023-42282
Before creating a new issue, please confirm:
- [X] I have searched for duplicate or closed issues and discussions.
- [X] I have tried disabling all browser extensions or using a different browser
- [X] I have tried deleting the node_modules folder and reinstalling my dependencies
- [X] I have read the guide for submitting bug reports.
On which framework/platform are you having an issue?
React
Which UI component?
Other
How is your app built?
Create React App
What browsers are you seeing the problem on?
No response
Which region are you seeing the problem in?
All
Please describe your bug.
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - https://github.com/advisories/GHSA-78xj-cgh5-2h22 is coming from aws-amplify/[email protected].
What's the expected behaviour?
No security issues
Help us reproduce the bug!
>>>npm audit
...
>>>npm ls ip
@aws-amplify/[email protected]
└─┬ [email protected]
└─┬ @aws-amplify/[email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ @react-native-community/[email protected]
├─┬ @react-native-community/[email protected]
│ └── [email protected]
└─┬ @react-native-community/[email protected]
└── [email protected] deduped
Code Snippet
// Put your code below this line.
Console log output
No response
Additional information and screenshots
No response
Same problem here, it's blocking our pipelines. The issue specifically is the ip package on npm. The official repository of the ip package is working on the CVE-2023-42282 issue. I assume it's gonna get fixed when they merge it. Or the aws-amplify maintainers find another workaround.
Hello, Thank you for contacting us regarding CVE-2023-42282 [1]. We can confirm that AWS Amplify is not affected by this issue. While some Amplify services and libraries contain the "ip" package, they do not use the affected function "isPublic". No customer action is required.
