flask-restx icon indicating copy to clipboard operation
flask-restx copied to clipboard

Published 20 hours ago verified publisher icon python-restx

Update Swagger UI to 4.1.3 or greater to resolve CVE-2018-25031

Open bradbm opened this issue 2 years ago • 2 comments

Repro Steps (if applicable)

  1. Observe that package.json references swagger-ui 3.48 and up
  2. Swagger fixed CVE-2018-25031 in December 2021 with release of Swagger-UI 4.1.3
  3. This can also be observed with the version of Swagger-UI included in the /static file when Flask-RestX is installed.

Expected Behavior

Flask-RestX installs version of Swagger-UI 4.1.3 or above

Actual Behavior

Flask-RestX installs a vulnerable version of Swagger UI

Error Messages/Stack Trace

None. Dependency scanners will flag this as well.

Environment

  • Python version - Multiple 3.x
  • Flask version - Multiple
  • Flask-RESTX version: 0.5.1
  • Other installed Flask extensions

Additional Context

The Swagger UI 3 -> 4 breaking changes seem to be limited to react / redux per release notes, so I believe simply updating the package.json file will fix the issue.

bradbm avatar Apr 22 '22 16:04 bradbm

If you found source lines for dependencies problem, I can include fix into my restx-monkey patches.

Ryu-CZ avatar Aug 31 '22 14:08 Ryu-CZ

Hi again, patched in restx-monkey 0.3+ . Feedback is welcome. Patch only works if user account has rights to edit site-packages directory with flask-restx/static files. Internally patch replaces files with new assets.

Ryu-CZ avatar Sep 07 '22 12:09 Ryu-CZ

This is now updated in flask-restx==1.1.0.

peter-doggart avatar Mar 04 '23 13:03 peter-doggart