vue-cli icon indicating copy to clipboard operation
vue-cli copied to clipboard

Published 20 hours ago verified publisher icon vuejs

Security vulnerability - upgrade cli-shared-utils/node_modules/execa to version 2.0.0 or above

Open MeganPaffrath opened this issue 1 year ago • 3 comments

Version

5.0.8

Environment info

Local

Steps to reproduce

I am unsure.

What is expected?

To not get vulnerability errors from our scanner.

What is actually happening?

We are getting the following vulnerability error:

Uncontrolled Search Path Element Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

The proposed solution from our scanner is to upgrade execa to version 2.0.0 or above.

Thank you for taking the time to investigate!

MeganPaffrath avatar Jul 10 '23 21:07 MeganPaffrath

Is there any plan to patch this vulnerable dependency ?

bilby91 avatar Aug 14 '23 17:08 bilby91

I see there are two dependencies on a vulnerable version of execa:

Screenshot 2023-08-16 at 3 37 57 PM

jeffreyrubi avatar Aug 16 '23 19:08 jeffreyrubi

I've come across the same vulnerability error related to execa. Is there any plan in place for fixing this issue?

Your assistance or any updates on this matter would be greatly appreciated.

Krishna7852 avatar Oct 25 '23 08:10 Krishna7852