vulnerabilities in npm dependencies

ugh, npm.

There are 25 npm security advisories affecting our repositories.

#1219: markdown-to-jsx

Severity: high

Versions of markdown-to-jsx prior to 6.11.4 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload.

Affected repositories (2)

#1464: cryptiles (CVE-2018-1000620)

Severity: high

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Affected repositories (1)

#1547: elliptic (CVE-2020-13822)

Severity: high

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Affected repositories (2)

#1548: serialize-javascript

Severity: high

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.

The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

Affected repositories (3)

#1555: bl

Severity: high

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 <2.2.1 and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Affected repositories (5)

#1561: node-forge (CVE-2020-7720)

Severity: high

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Affected repositories (1)

#1594: axios (CVE-2020-28168)

Severity: high

The axios NPM package before 0.21.1 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Affected repositories (2)

#1603: immer (CVE-2020-28477)

Severity: high

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer"); enablePatches(); let obj = {}; console.log("Before : " + obj.polluted); applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]); // applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]); console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

Affected repositories (4)

#1631: diff

Severity: high

Affected versions of diff are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 10 seconds matching time for data 48K characters long.

Affected repositories (2)

#813: js-yaml

Severity: high

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is { toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1 which returns the object { "1553107949161": 1 }

Affected repositories (1)

#1426: serialize-javascript (CVE-2019-16769)

Severity: moderate

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Affected repositories (1)

#1488: acorn

Severity: moderate

Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

Affected repositories (1)

#1518: jquery (CVE-2020-11022)

Severity: moderate

Versions of jquery prior to 3.5.0 are vulnerable to Cross-Site Scripting. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute arbitrary JavaScript in a victim's browser.

Affected repositories (5)

#1609: socket.io (CVE-2020-28481)

Severity: moderate

Affected versions of socket.io are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Affected repositories (2)

#1638: prismjs (CVE-2021-23341)

Severity: moderate

prismjs versions before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Affected repositories (5)

#548: static-eval (CVE-2017-16226)

Severity: moderate

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id

Affected repositories (1)

#758: static-eval

Severity: moderate

Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

``` var evaluate = require('static-eval'); var parse = require('esprima').parse;

var src = process.argv[2]; var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()' var ast = parse(payload).body[0].expression; console.log(evaluate(ast, {x:1})); ```

Affected repositories (1)

#788: js-yaml

Severity: moderate

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Affected repositories (1)

#796: jquery (CVE-2019-5428)

Severity: moderate

Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects.

Affected repositories (2)

#1179: minimist

Severity: low

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Affected repositories (9)

#1490: kind-of

Severity: low

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Affected repositories (1)

#1500: yargs-parser

Severity: low

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Affected repositories (1)

#1523: lodash (CVE-2019-10744)

Severity: low

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Affected repositories (4)

#1556: node-fetch (CVE-2020-15168)

Severity: low

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Affected repositories (4)

#1589: ini

Severity: low

ini before version 1.3.6 has a Prototype Pollution vulnerability.

Impact

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini [__proto__] polluted = "polluted"

poc.js: ``` var fs = require('fs') var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.proto) console.log(polluted) ```

```

node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted

```

Affected repositories (9)
Source code is licensed under the AGPL.