vulnerabilities in npm dependencies

ugh, npm.

There are 50 npm security advisories affecting our repositories.

#1670: handlebars (CVE-2021-23369)

Severity: critical

handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Affected repositories (1)

#1746: xmlhttprequest-ssl (CVE-2021-31597)

Severity: critical

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Affected repositories (1)

#1219: markdown-to-jsx

Severity: high

Versions of markdown-to-jsx prior to 6.11.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

Affected repositories (1)

#1464: cryptiles (CVE-2018-1000620)

Severity: high

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Affected repositories (1)

#1547: elliptic (CVE-2020-13822)

Severity: high

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Affected repositories (1)

#1548: serialize-javascript

Severity: high

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.

The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

Affected repositories (2)

#1555: bl

Severity: high

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 <2.2.1 and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Affected repositories (4)

#1561: node-forge (CVE-2020-7720)

Severity: high

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Affected repositories (1)

#1594: axios (CVE-2020-28168)

Severity: high

The axios NPM package before 0.21.1 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Affected repositories (1)

#1603: immer (CVE-2020-28477)

Severity: high

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

Affected repositories (4)

#1631: diff

Severity: high

Affected versions of diff are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 10 seconds matching time for data 48K characters long.

Affected repositories (2)

#1654: y18n (CVE-2020-7774)

Severity: high

y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.

POC

``` const y18n = require('y18n')();

y18n.setLocale('proto'); y18n.updateLocale({polluted: true});

console.log(polluted); // true ```

Affected repositories (5)

#1665: xmlhttprequest-ssl (CVE-2020-28502)

Severity: high

In xmlhttprequest-ssl before 1.6.2 when requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Affected repositories (1)

#1666: merge (CVE-2020-28499)

Severity: high

Versions of merge before 2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Affected repositories (2)

#1673: lodash (CVE-2021-23337)

Severity: high

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Affected repositories (7)

#1674: underscore (CVE-2021-23358)

Severity: high

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Affected repositories (531)

#1678: url-parse (CVE-2021-27515)

Severity: high

url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.

Affected repositories (1)

#1679: ua-parser-js (CVE-2021-27292)

Severity: high

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Affected repositories (6)

#1681: property-expr (CVE-2020-7707)

Severity: high

property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.

Affected repositories (1)

#1684: grunt (CVE-2020-7729)

Severity: high

Versions of grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Affected repositories (5)

#1700: trim (CVE-2020-7753)

Severity: high

Versions of trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Affected repositories (6)

#1753: trim-newlines (CVE-2021-33623)

Severity: high

trim-newlines before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Affected repositories (13)

#1755: normalize-url (CVE-2021-33502)

Severity: high

normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Affected repositories (3)

#1762: prismjs (CVE-2021-32723)

Severity: high

In prismjs before 1.24.0 some languages are vulnerable to Regular Expression Denial of Service (ReDoS).

Impact

When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.

Other languages are not affected and can be used to highlight untrusted text.

Patches

This problem has been fixed in Prism v1.24.

References

Affected repositories (5)

#1763: socket.io-parser (CVE-2020-36049)

Severity: high

The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Affected repositories (1)

#1426: serialize-javascript (CVE-2019-16769)

Severity: moderate

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Affected repositories (1)

#1488: acorn

Severity: moderate

Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

Affected repositories (1)

#1518: jquery (CVE-2020-11022)

Severity: moderate

Versions of jquery prior to 3.5.0 are vulnerable to Cross-Site Scripting. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute arbitrary JavaScript in a victim's browser.

Affected repositories (3)

#1609: socket.io (CVE-2020-28481)

Severity: moderate

Affected versions of socket.io are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Affected repositories (1)

#1638: prismjs (CVE-2021-23341)

Severity: moderate

prismjs versions before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Affected repositories (5)

#1648: elliptic (CVE-2020-28498)

Severity: moderate

elliptic before version 6.5.4 is vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Affected repositories (1)

#1651: msgpack5 (CVE-2021-21368)

Severity: moderate

Impact

When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. As you are no doubt aware, Object.prototype.__proto__ is an accessor property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an object or null, msgpack5 sets the decoded object's prototype to that value.

An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other types.

There is no effect on the global prototype.

An example:

```js const msgpack5 = require('msgpack5')();

const payload = {}; Object.defineProperty(payload, 'proto', { value: new Map().set(1, 2), enumerable: true });

const encoded = msgpack5.encode(payload); console.log(encoded); //

const decoded = msgpack5.decode(encoded);

// decoded's prototype has been overwritten console.log(Object.getPrototypeOf(decoded)); // Map(1) { 1 => 2 } console.log(decoded.get); // [Function: get]

// decoded appears to most common typechecks to be a Map console.log(decoded instanceof Map); // true console.log(decoded.toString()); // [object Map] console.log(Object.prototype.toString.call(decoded)); // [object Map] console.log(decoded.constructor.name); // Map console.log(Object.getPrototypeOf(decoded).constructor.name); // Map

// decoded is not, however, a Map console.log(Object.getPrototypeOf(decoded) === Map.prototype); // false

// using decoded as though it were a Map throws try { decoded.get(1); } catch (error) { console.log(error); // TypeError: Method Map.prototype.get called // on incompatible receiver # } try { decoded.size; } catch (error) { console.log(error); // TypeError: Method get Map.prototype.size // called on incompatible receiver # }

// re-encoding the decoded value throws try { msgpack5.encode(decoded); } catch (error) { console.log(error); // TypeError: Method Map.prototype.entries // called on incompatible receiver # } ```

This "prototype poisoning" is sort of a very limited inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumer's code).

Workarounds

Always validate incoming data after parsing before doing any processing.

Affected repositories (1)

#1677: hosted-git-info (CVE-2021-23362)

Severity: moderate

hosted-git-info before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity

Affected repositories (6)

#1693: postcss (CVE-2021-23368)

Severity: moderate

postcss from 7.0.0 and before version 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Affected repositories (9)

#1702: codemirror (CVE-2020-7760)

Severity: moderate

codemirror before 5.58.2 is vulnerable to a regular expression denial of service. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

Affected repositories (1)

#1710: websocket-extensions (CVE-2020-7662)

Severity: moderate

In websocket-extensions before version 0.1.4, there is a vulnerability which allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form:

`Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...`

That is, a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. The parser takes exponential time to reject this header as invalid, and this will block the processing of any other work on the same thread. Thus if you are running a single-threaded server, such a request can render your service completely unavailable.

Affected repositories (2)

#1747: browserslist (CVE-2021-23364)

Severity: moderate

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Affected repositories (9)

#1748: ws (CVE-2021-32640)

Severity: moderate

In ws before versions 5.2.3, 6.2.2 and 7.4.6 there is a ReDOS vulnerability.

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

```js for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) { const value = 'b' + ' '.repeat(length) + 'x'; const start = process.hrtime.bigint();

value.trim().split(/ , /);

const end = process.hrtime.bigint();

console.log('length = %d, time = %f ns', length, end - start); } ```

Patches

The vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

Affected repositories (4)

#1751: glob-parent (CVE-2020-28469)

Severity: moderate

glob-parent before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.

Affected repositories (14)

#548: static-eval (CVE-2017-16226)

Severity: moderate

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id

Affected repositories (1)

#565: ssri

Severity: moderate

ssri 5.2.2-6.0.1 and 7.0.0-7.1.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Affected repositories (1)

#758: static-eval

Severity: moderate

Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

``` var evaluate = require('static-eval'); var parse = require('esprima').parse;

var src = process.argv[2]; var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()' var ast = parse(payload).body[0].expression; console.log(evaluate(ast, {x:1})); ```

Affected repositories (1)

#796: jquery (CVE-2019-5428)

Severity: moderate

Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects.

Affected repositories (2)

#1179: minimist

Severity: low

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Affected repositories (9)

#1490: kind-of

Severity: low

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Affected repositories (1)

#1500: yargs-parser

Severity: low

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Affected repositories (1)

#1523: lodash (CVE-2019-10744)

Severity: low

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Affected repositories (3)

#1556: node-fetch (CVE-2020-15168)

Severity: low

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Affected repositories (4)

#1589: ini

Severity: low

ini before version 1.3.6 has a Prototype Pollution vulnerability.

Impact

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini [__proto__] polluted = "polluted"

poc.js: ``` var fs = require('fs') var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.proto) console.log(polluted) ```

```

node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted

```

Affected repositories (8)

#1650: xmldom (CVE-2021-21366)

Severity: low

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

Affected repositories (4)
Source code is licensed under the AGPL.