Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue with curlrequest #7

Open
HaydenMacDonald opened this issue Feb 27, 2021 · 1 comment
Open

Security issue with curlrequest #7

HaydenMacDonald opened this issue Feb 27, 2021 · 1 comment

Comments

@HaydenMacDonald
Copy link

Hi there,

Great work with this library! An issue I've had while using beeminderjs is that GitHub flags curlrequest as a security issue.

CVE-2020-7646 [high severity]
Vulnerable versions: <= 1.0.1
Patched version: No fix
curlrequest through 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands by using a semicolon char in any of the options values.

Is there a way for curlrequest to be replaced as a dependency, as there seems to be no dedicated owner of curlrequest and it hasn't been updated in years?

Thanks!
@HaydenMacDonald
Copy link
Author

@malcolmocean Any thoughts around how this issue can be solved? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@HaydenMacDonald