Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-6x33-pw7p-hmpq found on trivy scan cypress version is 13.3.3 #28206

Closed
eagle-txec opened this issue Nov 1, 2023 · 2 comments
Closed

GHSA-6x33-pw7p-hmpq found on trivy scan cypress version is 13.3.3 #28206

eagle-txec opened this issue Nov 1, 2023 · 2 comments
Labels
stale no activity on this issue for a long period

Comments

@eagle-txec
Copy link

Current behavior

installed version is 1.18.0

Desired behavior

Upgrade the fixed version 1.18.1

Test code to reproduce

Cypress Version

13.3.3

Node version

16.20.2

Operating System

Debug Logs

"VulnerabilityID": "GHSA-6x33-pw7p-hmpq",
          "InstalledVersion": "1.18.0"
        },
        {
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "http-proxy@1.18.0",
          "Title": "Denial of Service in http-proxy",
          "Status": "fixed",
          "PkgName": "http-proxy",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/http-proxy/package.json",
          "Severity": "HIGH",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://github.com/advisories/GHSA-6x33-pw7p-hmpq",
          "References": [
            "https://github.com/http-party/node-http-proxy/pull/1447/commits/4718119ffbe895aecd9be0d6430357d44b4c7fd3",
            "https://github.com/http-party/node-http-proxy/pull/1447/files",
            "https://www.npmjs.com/advisories/1486"
          ],
          "Description": "Versions of `http-proxy` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an `ERR_HTTP_HEADERS_SENT` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the `proxyReq.setHeader` function.   \n\nFor a proxy server running on `http://localhost:3000`, the following curl request triggers the unhandled exception:  \n -XPOST http://localhost:3000 -d \"$(python -c 'print(\"x\"*1025)')\"\n\n\n## Recommendation\n\nUpgrade to version 1.18.1 or later",
          "FixedVersion": "1.18.1",
          "SeveritySource": "ghsa",

Other

No response
@cypress-app-bot
Copy link
Collaborator

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

@cypress-app-bot cypress-app-bot added the stale no activity on this issue for a long period label Apr 30, 2024
@cypress-app-bot
Copy link
Collaborator

This issue has been closed due to inactivity.

@cypress-app-bot cypress-app-bot closed this as not planned Won't fix, can't repro, duplicate, stale May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale no activity on this issue for a long period
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cypress-app-bot @eagle-txec