Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update debug dependency (memory leak leading to vulnerability) #486

Closed
cmotsn opened this issue Jan 13, 2023 · 1 comment
Closed

Update debug dependency (memory leak leading to vulnerability) #486

cmotsn opened this issue Jan 13, 2023 · 1 comment
Labels
invalid

Comments

@cmotsn
Copy link

cmotsn commented Jan 13, 2023
edited by dougwilson

Context: the body-parser lib is included as a nested dependency in our application.
We use Checkmarx to scan for security vulnerabilities, and it indicates a vulnerability due to the usage of a version of the debug dependency which contains a memory leak.

Updating the debug package to 4.3.x would remove the vulnerability.
@cmotsn cmotsn closed this as completed Jan 13, 2023
@cmotsn cmotsn reopened this Jan 13, 2023
@dougwilson
Copy link
Contributor

Hi @cmotsn thanks for your report! The memory leak mentioned in there seems to only apply to 3.x and 4.x as stated by the project in the links. The https://checkmarx.com/blog/some-vulnerabilities-dont-have-a-name/ link you provided helpfully provides a POC to check for the issue as well, and following those steps it verifies that 2.6.9 is not vulnerable to the leak. You can verify yourself at https://github.com/MarioTeixeiraCx/POCs and installing debug@2.6.9.

@dougwilson dougwilson mentioned this issue Feb 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougwilson @cmotsn