docusign-esign-node-client Security Vulnerability : VM2 CVE-2023-37903

Introduced through: [email protected] › [email protected] › proxy-agent › pac-proxy-agent › pac-resolver > [email protected]

Overview The version of degenrator that gets installed alongside docusign-esign uses a deprecated VM2 package that is now referenced in vulnerability CVE-2023-37903 .

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

https://nvd.nist.gov/vuln/detail/CVE-2023-37903

Remediation [email protected] refactors VM2 out. To get this version of Degenerator, proxy-agent must be upgraded to 6.3.1. Unfortunately the latest version of [email protected] still uses proxy-agent@^5.0.0.

Overriding proxy-agent to use 6.3.1 results in errors. Remediation is having TooTallNate update superagent-proxy to support [email protected] or refactoring superagent-proxy out

Dec 12 '23 01:12 stbarillas

Thanks for notifying us about this. I'll let the SDK devs now.

Dec 12 '23 09:12 ivan-dinkov

@ivan-dinkov do we have a fix here yet? It looks like there's still a critical-level security vulnerability this is forcing on people...

Jan 22 '24 22:01 comp615

@ivan-dinkov any update?

Feb 08 '24 00:02 Ivanrenes

Hi! Sorry to be a bother, but we are paying customers and will have to drop this dependency and find another service to keep our SOC2 compliance, if the sub-dependencies are not updated to secure versions for this library. We're now up to 3 high security warnings from your sub-dependencies @InbarGazit @ivan-dinkov

Feb 12 '24 05:02 nikodunk

@eleanorharris I noticed an update then a rollback. Are there any plans for the superagent-proxy package to be updated in the near future? https://github.com/docusign/docusign-esign-node-client/commit/07812393ab31eee58e7e0f751fb5a3c6dd094c5f

Feb 12 '24 21:02 meads2320

Any updates on this? not cool having to install a package of a flagship product and seeing 6 high level warnings ..

Feb 23 '24 05:02 Eyalm321

Eyal and everyone else, I apologize for not communicating and for the delays on this. We're working on this, we had some challenges which is why this is not done yet, but we'll get it done very soon, please be a little more patient. We'll update this thread as soon as this is resolved.

Feb 23 '24 16:02 InbarGazit

Eyal, see https://www.npmjs.com/package/docusign-esign/v/6.6.0-rc2 and let us know if it fixes this issue

Mar 19 '24 18:03 InbarGazit

@InbarGazit hey generateAccessToken is not longer working in that version.

Mar 20 '24 14:03 Ivanrenes

Any updates or PR to keep track of this issue? This is still at critical level

Mar 26 '24 13:03 maxicapodacqua

Any updates?

Mar 27 '24 17:03 fabiolnm

@fabiolnm did you try with RC version https://www.npmjs.com/package/docusign-esign/v/6.6.0-rc2?

Auth stop working for me

Mar 27 '24 17:03 Ivanrenes

The RC version worked for me. Thanks!

Apr 02 '24 07:04 fabiolnm

The RC version worked for me as well. Is there a plan to release this RC version soon?

Apr 16 '24 14:04 jwvanhollebeke

folks, i notice this vulnerability no longer exists with 7.0.0-rc1, and it looks like 6.6.0-rc2 also appeared to potentially solve this issue.

in the future, it would be kind to those who depend on this package to release patches to cover these vulnerabilities.

May 15 '24 02:05 bejoinka

Appreciate the confirmation, @fabiolnm, @jwvanhollebeke and @bejoinka!

@nikodunk, @maxicapodacqua, @Eyalm321,, @comp615 , @stbarillas

I'm glad to inform you that we've successfully addressed the security vulnerability identified in [email protected]. You can now access the updated version, 6.6.0-rc2, here, as mentioned earlier by @InbarGazit.

We're currently in the process of finalizing the RC version to publish. Stay tuned for updates as we move forward with this plan.

For additional visibility, you can access the changelogs here.

If you have any further questions or concerns, feel free to reach out.

May 17 '24 06:05 sonawane-sanket

We're excited to announce the release of the public version 7.0.0. We encourage you to upgrade and check out the changelog here.

May 23 '24 07:05 sonawane-sanket

@sonawane-sanket when trying to generate token with generateAccessToken using the client it just don't work, throws an empty error (see screenshot). With previous version it works as usual, anything changed for that?

Update:

Just found the issue in your code, please merge this PR ASAP

May 23 '24 20:05 Ivanrenes

Thank you @ivan-dinkov

We truly appreciate your prompt feedback. The issue has been resolved.

Please find further updates here

May 24 '24 08:05 sonawane-sanket

@sonawane-sanket Please check https://github.com/docusign/docusign-esign-node-client/pull/352#pullrequestreview-2077517229 comment, generateAccessToken keeps broken

May 24 '24 17:05 Ivanrenes

Yep, broken now for us too on a node server integration. Following your docs you recommend doing:

const auth = await authenticate()
const dsApiClient = new docusign.ApiClient()
dsApiClient.setBasePath(auth.basePath)

is where it throws or RC2

was auth.basePath removed?

May 31 '24 21:05 nikodunk

Please follow further updates on here. Closing this issue for now.

Jun 04 '24 11:06 sonawane-sanket