Vulnerability in the library

[rpodwika]

https://www.mend.io/vulnerability-database/CVE-2022-25883

-> aws-xray-sdk-3.5.0.tgz (Root Library)

   -> aws-xray-sdk-core-3.5.0.tgz

     -> cls-hooked-4.2.2.tgz

       -> ❌ semver-5.7.1.tgz (Vulnerable Library)
      
      

[jhonnycordova]

Hello. Are you planning to fix this? Any workaround I can use in the meantime?. Thanks

[carolabadeer]

Hi @rpodwika and @jhonnycordova, thanks for raising this issue

Do you mind clarifying where v5.7.1 is being brought in? I see semver v7.3.8 in the aws-xray-sdk-core package dependencies and semver v6.3.0 being pulled in from cls-hooked

PR #598 fixes the core package version, but the version being pulled in from cls-hooked is a transitive dependency

[kryten87]

The cls-hooked package on the master branch does indeed have semver v6.3.0, but the v4.2.2 tag has semver v5.4.1. I'm not sure where 5.7.1 is coming from. In any event, the vulnerability described in the link above affects any version of semver prior to 7.5.2, so even installing from master will not resolve the problem.

The version from cls-hooked may be transitive, but it is enough to cause npm audit to complain.

[cortexcompiler]

I am seeing this vulnerability flagged for any version of semver < 7.5.2:
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795

The paths given where it is introduced through are:

aws-xray-sdk-core@3.5.0 > cls-hooked@4.2.2 > semver@5.7.1
aws-xray-sdk@3.5.0 > aws-xray-sdk-core@3.5.0 > cls-hooked@4.2.2 > semver@5.7.1

Note that this is flagged as a high severity vulnerability.

[carolabadeer]

Hi all, thank you for your responses! We are actively working on a fix

[carolabadeer]

Node SDK v3.5.1, which includes the fix for this security vulnerability, has been released
https://github.com/aws/aws-xray-sdk-node/releases/tag/aws-xray-sdk-node%403.5.1