Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debug package version in body parser showing security vulnerability #516

Closed
MandeeGit opened this issue Feb 26, 2024 · 10 comments
Closed

Debug package version in body parser showing security vulnerability #516

MandeeGit opened this issue Feb 26, 2024 · 10 comments
Labels
awaiting more info help wanted

Comments

@MandeeGit
Copy link

MandeeGit commented Feb 26, 2024
edited

Debug package version in body parser showing security vulnerability. This need to be updated to latest version of debug package V4.3.4. do we know when this will be updated?

debug package
@UlisesGascon
Copy link
Member

Thanks for reporting @MandeeGit, but I was not able to find this reference. What software do you use?

I checked against Snyk and Socket.dev:

@MandeeGit
Copy link
Author

@UlisesGascon I am using Check Marx. By default it is listing in my package-lock.json. Unable to override it.
image

@UlisesGascon
Copy link
Member

Yes, @MandeeGit. debug@2.6.9 is included with body-parser, but I can't see any direct vulnerability associated

No direct vulnerabilities have been found for this package in Snyk’s vulnerability database. This does not include vulnerabilities belonging to this package’s dependencies. Snyk debug@2.6.9

Same results on Socket.dev. Do you have any CVE associated?

AFAIK we are not planning to update to debug@4.3.4 yet.

@MandeeGit
Copy link
Author

MandeeGit commented Feb 27, 2024
edited

Please find CWE below @UlisesGascon
CWE - 401 and CWE 1333

image

@MandeeGit MandeeGit reopened this Feb 27, 2024
@wesleytodd
Copy link
Member

@MandeeGit A screenshot of a page is not enough for us to act on. We don't see any reported CVE's on any of the normal platforms and your screenshot is not enough to understand or remediate the issue. If it is not just a false positive on that platform please have them reach out (or do so yourself) with a security report so we can address it.

@ctcpip
Copy link
Member

ctcpip commented Feb 27, 2024
edited

false positive with Checkmarx

it's referencing:

GHSA-gxpj-cx7g-858c

and

debug-js/debug#678 (which I can't find any CVE for)

edit: the memory leak may be a valid vulnerability... but there is no patch the memory leak was fixed here: debug-js/debug#740 in version 4.3.0

@wesleytodd
Copy link
Member

Ok, I am going to close this

@ctcpip
Copy link
Member

ctcpip commented Feb 27, 2024

edited my above comment, but the memory leak was patched in 4.3.0 and was not backported

@ctcpip
Copy link
Member

ctcpip commented Feb 27, 2024

worth noting that express itself pulls in the same version of debug

@ctcpip
Copy link
Member

ctcpip commented Feb 28, 2024

good news! the memory leak is NOT present in 2.6.9. PoC here: https://stackblitz.com/edit/stackblitz-starters-dhsr9k?file=index.js

if you run the app there and open up your browser dev tools memory profiler, you'll see that there is no leak. (on my machine total heap was in the 100s of MB)

if you want to reproduce the leak there, then npm i debug@4.1.1 and then run it again. you'll see the heap go up and up

@ctcpip ctcpip mentioned this issue Feb 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting more info help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wesleytodd @UlisesGascon @ctcpip @MandeeGit