indy-plenum icon indicating copy to clipboard operation
indy-plenum copied to clipboard
verified publisher icon hyperledger

Mitigating security issues of jsonpickle

Open kukgini opened this issue 1 year ago • 1 comments

A security guy told me about indy-node vulnerabilities. It's about jsonpickle security issue. And it is classified as critical. https://github.com/advisories/GHSA-j66q-qmrc-89rx

However the jsonpickle team defended that it is intended. And they suggested that to be sure to be safe, user of this library should set safe=True in calling jsonpickle.decode() https://github.com/jsonpickle/jsonpickle/issues/335

It appears that in indy-plenum, jsonpickle.decode() is called without safe parameter. Wouldn't it be better to add it?

kukgini avatar Jun 13 '24 01:06 kukgini

@kukgini plenum uses jsonpickle version 3.0.3 which isn't vulnerable. The NVD states that the vulnerability only affects version 1.4.1 and below.

PatStLouis avatar Sep 13 '24 18:09 PatStLouis