multer icon indicating copy to clipboard operation
multer copied to clipboard
verified publisher icon expressjs

DoS vulnerability from [email protected]

Open mrded opened this issue 3 years ago • 14 comments

Hello,

Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:

Issues with no direct upgrade or patch:
  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
  No upgrade or patch available

Updating busboy@^1.0.0 drops the dependency on dicer (where the vuln comes from).

Thanks

mrded avatar May 20 '22 15:05 mrded

https://github.com/expressjs/multer/pull/1096

mrded avatar May 20 '22 16:05 mrded

Better solution: https://github.com/expressjs/multer/pull/1097

mrded avatar May 23 '22 09:05 mrded

@mrded Thanks for raising this PR 1097. Request the team to merge this soon. As github is also reporting a high vulnerability which will get fixed with this busboy version upgrade. https://github.com/advisories/GHSA-wm7h-9275-46v2

krsubbar avatar May 26 '22 06:05 krsubbar

High Crash in HeaderParser in dicer

Package dicer

Patched in No patch available

Dependency of multer

Path multer > busboy > dicer

roneyantony avatar May 26 '22 06:05 roneyantony

We need that fix, i don't like Severity: high, a warning is fine not red notifications.

victorKariuki avatar Jun 06 '22 15:06 victorKariuki

I need this

1yzz avatar Jun 15 '22 07:06 1yzz

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

LinusU avatar Jun 15 '22 09:06 LinusU

Thank you it works.

victorKariuki avatar Jun 15 '22 16:06 victorKariuki

What versions of Node are compatible?

123NeNaD avatar Jun 16 '22 02:06 123NeNaD

What versions of Node are compatible?

v10.16.0 or newer

LinusU avatar Jun 16 '22 07:06 LinusU

i've upgraded all my projects to 16 lts

From: Linus Unnebäck @.> Sent: Thursday, June 16, 2022 10:33 To: expressjs/multer @.> Cc: victorKariuki @.>; Comment @.> Subject: Re: [expressjs/multer] DoS vulnerability from @.*** (Issue #1095)

What versions of Node are compatible?

v10.16.0 or newer

— Reply to this email directly, view it on GitHubhttps://github.com/expressjs/multer/issues/1095#issuecomment-1157332771, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ATTZYI52BNNIQIE56WDBTMDVPLKDNANCNFSM5WP4UIOQ. You are receiving this because you commented.Message ID: @.***>

victorKariuki avatar Jun 21 '22 05:06 victorKariuki

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

Has this been done or we should do npm i [email protected]?

ashish1497 avatar Jun 30 '22 14:06 ashish1497

@LinusU perhaps a good reason to release it as 2.0 to indicate a breaking change (removing support for older node versions)?

bryanph avatar Jul 06 '22 11:07 bryanph

Is any way to resolve this issue?

ZhaoKunLong avatar Sep 09 '22 07:09 ZhaoKunLong

@bryanph there is already another 2.0 release line with multiple releases

@ZhaoKunLong @ashish1497 yes, npm i [email protected] should fix this 👍

LinusU avatar Oct 30 '22 14:10 LinusU