serve icon indicating copy to clipboard operation
serve copied to clipboard

Published 20 hours ago verified publisher icon vercel

Could you help remove the high severity vulnerability introduced by ajv?

Open vincentsum777 opened this issue 4 years ago • 2 comments

Hi, @leo, I stumbled upon a high severity vulnerability introduced by package [email protected]:

Issue Description

I noticed that [email protected] directly depends on [email protected] by accident. However, the vulnerability CVE-2020-15366 is detected in package ajv<6.12.3.
As you can see, [email protected] is so popular that a large number of projects depend on it (203,658 downloads per week and about 271 downstream projects, e.g., react-static 7.5.3, father 2.30.6, landr 6.18.0, sisa 4.4.0, @anyfin/ui 5.4.35, etc.). In this case, the vulnerability CVE-2020-15366 can be propagated into these downstream projects and expose security threats to them. As far as I know, [email protected] is introduced into the above projects via the following package dependency paths: (1)[email protected][email protected][email protected][email protected][email protected][email protected] ......

I know that it's kind of you to have removed the vulnerability since [email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade serve from version 11.3.2 to (>=12.0.0): The projects such as umi-library, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade serve nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?

Suggested Solution

As you know, Since these inactive projects set a version constaint 11.3.* for serve on the above vulnerable dependency paths, if serve removes the vulnerability from 11.3.2 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in [email protected](not crossing major version): ajv 6.5.3 ➔ 6.12.3;
Note: [email protected](>=6.12.3) has fixed the vulnerability (CVE-2020-15366). If you have any other ways to resolve the issue, you are welcome to share with me.

Thank you for your help.^_^

vincentsum777 avatar Aug 01 '21 13:08 vincentsum777

FYI, I guess this issue was fixed by #635 and included on release 12.0.0 (https://github.com/vercel/serve/releases/tag/12.0.0). This issue is similar to #633 too.

gcoelho avatar Sep 28 '21 12:09 gcoelho

Was it? Or should we publish a patch release for a smaller major?

leo avatar Sep 28 '21 12:09 leo