14.2.13 and 17.0.9 Vulnerability Report - Node.js (node-pkg) - CVE-2022-25883

[NithinProdapt]

Which @angular/* package(s) are the source of the bug?

Don't known / other

Is this a regression?

Yes

Description

I have identified a vulnerability in the Angular v14 an v17 application related to the Node.js (node-pkg) package. The vulnerability is categorized as CVE-2022-25883, with a severity level of MEDIUM. The affected library is "semver" as specified in the package.json file.

Vulnerability Details:
Library: semver (package.json)
Vulnerability: CVE-2022-25883
Severity: MEDIUM
Status: Fixed
Installed Version: 7.3.8
Fixed Version(s): 7.5.2, 6.3.1, 5.7.2
Title: nodejs-semver: Regular expression denial of service
Reference: CVE-2022-25883

I recommend that the Angular team investigates and addresses this vulnerability promptly to ensure the security of the application. Please review the provided details and take appropriate actions to mitigate the risk associated with this security issue.Your timely guidance on the recommended version and any necessary steps for a secure migration would be immensely valuable.

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

IN Angular CLI: 14.2.13

Vulnerability Details:
Library: semver (package.json)
Vulnerability: CVE-2022-25883
Severity: MEDIUM
Status: Fixed
Installed Version: 7.3.8
Fixed Version(s): 7.5.2, 6.3.1, 5.7.2
Title: nodejs-semver: Regular expression denial of service
Reference: CVE-2022-25883


Angular CLI: 17.0.9
Node: 21.5.0 (Unsupported)
Package Manager: npm 10.2.4

Vulnerability_issue:
Library: axios (package.json)
Vulnerability: CVE-2023-45857
Severity: MEDIUM
Installed Version: 0.21.4
Fixed Version: 1.6.0
Title: axios: exposure of confidential data stored in cookies
Reference: CVE-2023-45857
Vulnerability 2:
-------------------------------------------------------------
Library: semver (package.json)
Vulnerability: CVE-2022-25883
Severity: MEDIUM
Installed Version: 7.3.8
Fixed Version(s): 7.5.2, 6.3.1, 5.7.2
Title: nodejs-semver: Regular expression denial of service
Reference: CVE-2022-25883

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 14.2.13
Node: 14.18.0
Package Manager: npm 6.14.15
OS: win32 x64

 AND

Angular CLI: 17.0.9
Node: 21.5.0 (Unsupported)
Package Manager: npm 10.2.4
OS: linux x64

Angular: 17.0.8
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, platform-server
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1700.9
@angular-devkit/build-angular   16.2.11
@angular-devkit/core            17.0.9
@angular-devkit/schematics      17.0.9
@angular/cli                    17.0.9
@angular/ssr                    17.0.9
@schematics/angular             17.0.9
rxjs                            7.8.1
typescript                      5.2.2
zone.js                         0.14.2

Anything else?

The current state of our project security is critical, and I am eager to collaborate with your team to implement the necessary measures promptly. Your swift response and guidance in resolving these issues are highly appreciated.
Your timely guidance on the recommended version and any necessary steps for a secure migration would be immensely valuable.

[JoostK]

semver 7.3.8 is likely captured in your lockfile, as newer versions are available and used by Angular. axios is not a dependency of Angular.

Angular 14 is no longer supported.

[alan-agius4]

Closing as per above.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}