s3rver icon indicating copy to clipboard operation
s3rver copied to clipboard
verified publisher icon jamhall

Security Issue in Dependency - CVE-2022-24434

Open mheironimus-rgare opened this issue 3 years ago • 4 comments

NPM audit, and other security vulnerability scanning tools, are indicating the following issue in version 3.7.1 of s3rver:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Crash in HeaderParser in dicer                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dicer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ s3rver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ s3rver > busboy > dicer                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wm7h-9275-46v2            │
└───────────────┴──────────────────────────────────────────────────────────────┘

My understanding is the issue (https://github.com/advisories/GHSA-wm7h-9275-46v2) was addressed in busboy v1.0.0 (https://github.com/mscdex/busboy/issues/250#issuecomment-997450751). Could a new version of s3rver be released that uses a newer version of busboy to address this issue?

mheironimus-rgare avatar Jul 05 '22 17:07 mheironimus-rgare

@jamhall this is quite a serious vulnerability. Are we able to have this resolved? If I make a PR will you merge it?

jpike88 avatar Oct 17 '22 11:10 jpike88

hi @jpike88 and @jamhall,

I also think this is a pretty serious vulnerability.

@jpike88, did you manage to solve it? And can you make an RP, I think @jamhall will thank you and if it works, take over.

If not, then it would definitely be a help for all other developers.

I would also help, but I don't have enough time to find out for myself.

parajbs avatar Dec 10 '22 22:12 parajbs

I don’t think the maintainer is very interested in maintaining this, look how many PRs are open and unaddressed. Best thing to do is just fork it

jpike88 avatar Dec 11 '22 03:12 jpike88

hello @jpike88,

it was similar last year until "jamhall" released a new version. I think he collects some PRs until it's worth releasing a new version.

Somewhere it was said that a version 4.0 should follow, but not when.

We can ask @leontastic if he is in contact with @jamhall and if it makes sense to open a PR here.

But if I were you, I would open a PR here, then all developers can help, and the result is useful for everyone. With a fork it would not appear in the original of "jamhall", where it also has to be corrected.

But your decision. Let me know and I'll help. Maybe @mheironimus-rgare can help too.

parajbs avatar Dec 11 '22 04:12 parajbs