Regex DoS (ReDos) Vulnerability [FIXED] #156
Comments
|
This still affects version 3.0.0 as well |
|
Any updates to this? |
|
I'm about to work on a fix for this, but in the mean time I'd like to list some of the mitigating factors involved so users can decide if they are affected by this or not. This only affects the If you're running this proxy in a publicly accessible manner then this vulnerability is probably the least of your concerns. |
In addition to being faster by not re-parsing the string, this also addresses #156 Signed-off-by: Ryan Graham <[email protected]>
|
v3.0.1 has been published with a fix. |
|
I'm at a loss as to how to update the vulnerability DBs 😞
It would also be nice to update the update the severity since "high" seems a little misleading considering you need to do something already considered dangerous (run a dev tool as a public open proxy) in order to even expose this. |
|
Do you just email [email protected] or [email protected] ? |
|
Snyk and HackerOne are not affiliated with npm/nsp so I'm not sure what they would be able to do about it. |
rmg
changed the title
|
This stills affects version 3.0.1 as well, here is "npm audit" report extract: |
|
@fmagaldea that advisory is incorrect. |
|
@rmg How can we fix the |
|
Any updates to this ? I get the vulnerability is fixed but it's still showing the advisory |
|
I've sent an email to [email protected] to ask them to update the record. |
|
When you do get that record updated, would you bump the version to 3.0.2 to make sure our random internal processes see it as a new artifact? |
|
I just installed node-foreman and ran |
From Snyk
✗ High severity vulnerability found on [email protected]
The text was updated successfully, but these errors were encountered: