Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities reported by nsp and snyk #960

Open
rahul-desai3 opened this issue Oct 6, 2017 · 3 comments
Open

Security vulnerabilities reported by nsp and snyk #960

rahul-desai3 opened this issue Oct 6, 2017 · 3 comments

Comments

@rahul-desai3
Copy link

I have been using the NPM modules nsp and snyk to test the node modules in my project for security vulnerabilities.

Reported by nsp:

$ nsp check --output json
[
  {
    "id": 533,
    "updated_at": "2017-09-25T19:11:21.203Z",
    "created_at": "2017-09-21T20:44:30.777Z",
    "publish_date": "2017-09-25T19:11:21.202Z",
    "overview": "The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.",
    "recommendation": null,
    "cvss_vector": null,
    "cvss_score": null,
    "module": "timespan",
    "version": "2.3.0",
    "vulnerable_versions": "<=99.999.99999",
    "patched_versions": "<0.0.0",
    "title": "Regular Expression Denial of Service",
    "path": [
      "edm@1.0.0",
      "forever@0.15.3",
      "timespan@2.3.0"
    ],
    "advisory": "https://nodesecurity.io/advisories/533"
  }
]

Reported by snyk:

$ snyk test
✗ Low severity vulnerability found on debug@2.6.8
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:debug:20170905
- from: edm@1.0.0 > forever@0.15.3 > forever-monitor@1.7.1 > chokidar@1.7.0 > fsevents@1.1.2 > node-pre-gyp@0.6.36 > tar-pack@3.4.0 > debug@2.6.8
Your dependencies are out of date, otherwise you would be using a newer debug than debug@2.6.8.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.

✗ High severity vulnerability found on timespan@2.3.0
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:timespan:20170907
- from: edm@1.0.0 > forever@0.15.3 > timespan@2.3.0
Fix: None available. Consider removing this dependency.

✗ Medium severity vulnerability found on tough-cookie@2.3.2
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:tough-cookie:20170905
- from: edm@1.0.0 > forever@0.15.3 > forever-monitor@1.7.1 > chokidar@1.7.0 > fsevents@1.1.2 > node-pre-gyp@0.6.36 > request@2.81.0 > tough-cookie@2.3.2
Your dependencies are out of date, otherwise you would be using a newer tough-cookie than tough-cookie@2.3.2.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.

Tested 365 dependencies for known vulnerabilities, found 3 vulnerabilities, 3 vulnerable paths.
@bennycode
Copy link

I also received a warning today by "nsp" about "forever": https://nodesecurity.io/advisories/533

@dman777
Copy link

dman777 commented Nov 11, 2017

If forever does not listen on ports, is this really a threat/issue?

@rahul-desai3
Copy link
Author

I still see these in my test results. Any update yet?

@rahul-desai3 rahul-desai3 mentioned this issue Oct 22, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bennycode @dman777 @rahul-desai3