eth-provider icon indicating copy to clipboard operation
eth-provider copied to clipboard

Published 20 hours ago verified publisher icon floating

There is a vulnerability introduced in your package

Open paimon0715 opened this issue 2 years ago • 0 comments

Hi, @floating @mholtzman,I’d like to report a vulnerability introduced in your package eth-provider:

Issue Description

A vulnerability CVE-2021-32640 detected in package ws(<5.2.3,>=6.0.0 <6.2.2,>=7.0.0 <7.4.6) is directly referenced by [email protected]. We noticed that such a vulnerability has been removed since [email protected].

However, eth-provider's popular previous version [email protected] (4,847 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 32 downstream projects, e.g., use-wallet 0.9.0, @binance-chain/bsc-use-wallet 0.8.1, @sekmet/next-auth 0.1.49, cryptowalletconnector 1.0.14, hubot-kredits 3.8.0, @aragon/[email protected], etc.). As such, issue CVE-2021-32640 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade eth-provider from version 0.2.5 to (>=0.7.0). For instance, [email protected] is introduced into the above projects via the following package dependency paths: (1)@aragon/[email protected][email protected] ➔ @web3-react/[email protected][email protected][email protected] ......

The projects such as @web3-react/frame-connector, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade eth-provider nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 0.2.* for eth-provider on the above vulnerable dependency paths, if eth-provider removes the vulnerability from 0.2.5 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the 32 affected downstream projects.

In [email protected], you can kindly try to perform the following upgrade: ws 7.1.2 ➔ 7.4.6;
Note: [email protected] has fixed the vulnerability (CVE-2021-32640)

Thank you for your help.

Best regards, Paimon

paimon0715 avatar Jul 23 '21 12:07 paimon0715