Skip to content

fix: resolve critical and high severity security vulnerabilities #258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 25, 2025
Merged

fix: resolve critical and high severity security vulnerabilities #258

merged 5 commits into from
Nov 25, 2025

Conversation

@kavindadimuthu
Copy link
Contributor

@kavindadimuthu kavindadimuthu commented Nov 24, 2025
edited
Loading

Purpose

This PR addresses multiple critical and high severity security vulnerabilities identified in the recent security audit. The changes include dependency upgrades and package overrides to patch vulnerable packages and ensure the application's security posture.

Security Issues Resolved

Critical Severity

  • pbkdf2 vulnerabilities (CVE-related):

    • Fixed issue where pbkdf2 silently disregards Uint8Array input, returning static keys
    • Fixed predictable uninitialized/zero-filled memory for non-normalized or unimplemented algorithms
    • Resolution: Added package overrides to enforce pbkdf2 >=3.1.3

  • sha.js vulnerability:

    • Fixed missing type checks leading to hash rewind and potential crafted data exploitation
    • Resolution: Added package overrides to enforce sha.js >=2.4.12

High Severity

  • axios vulnerabilities:

    • Fixed SSRF and credential leakage via absolute URL (CVE-2024-0001)
    • Fixed DoS attack vulnerability through lack of data size check
    • Resolution: Upgraded axios to >=1.12.0 across all packages
    • Resolution: Upgraded axios in browser package to >=0.30.2 and upgraded @asgardeo/auth-spa version to "^3.3.2" in vue package

  • playwright vulnerability:

    • Fixed insecure browser downloads without SSL certificate verification
    • Resolution: Upgraded playwright to >=1.55.1

  • glob vulnerability:

    • Fixed command injection vulnerability in glob CLI
    • Resolution: Upgraded glob to >=10.5.0

Changes Made

  1. Added package overrides for pbkdf2 , sha.js,'glob' and 'axios' to enforce patched versions
  2. Upgraded axios dependencies in packages to secure versions
  3. Upgraded playwright in packages to secure version (>=1.55.1)
  4. Updated rimraf version across all packages

Related Issues

Related PRs

  • N/A

Checklist

  • Followed the CONTRIBUTING guidelines.
  • Manual test round performed and verified.
  • Documentation provided. (Add links if there are any)
  • Unit tests provided. (Add links if there are any)

Security checks

DonOmalVindula
DonOmalVindula previously approved these changes Nov 25, 2025
View reviewed changes
@kavindadimuthu @DonOmalVindula
Update package.json
fa9b102 
Co-authored-by: Omal Vindula <42619922+DonOmalVindula@users.noreply.github.com>
@asgardeo-github-bot
Copy link

asgardeo-github-bot commented Nov 25, 2025

⚠️ No Changeset found

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go.

If these changes should result in a version bump, you need to add a changeset.

Refer Release Documentation to learn how to add a changeset.

@DonOmalVindula DonOmalVindula merged commit 3b9745f into asgardeo:main Nov 25, 2025
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DonOmalVindula DonOmalVindula DonOmalVindula approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kavindadimuthu @asgardeo-github-bot @DonOmalVindula