New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2021-20066] : JSDom improperly allows the loading of local resources #3124
Comments
|
As discussed previously over email, this is equivalent to removing the brakes on your car (by explicitly opting in to loading all resources) and then complaining when the brake pedal does nothing. This is not a security issue, and the jsdom docs are very clear on the consequences of allowing resource loading. This CVE is officially "disputed" and we hope that the folks filing this will withdraw it. |
|
Is there a way to disable loading local files, but still allowing external web files? |
|
It is disabled by default. |
|
GitHub now shows this old CVE has been patched in v16.5.0. In the changelog here I see nothing about this and I also don't know why it comes up now hmm… |
Basic info:
Minimal reproduction case
From https://fr.tenable.com/security/research/tra-2021-05 (CVE-2021-20066) :
The text was updated successfully, but these errors were encountered: