Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[material-ui] Prototype pollution security vulnerabililty in @mui/utils #42607

Closed
rsellucian opened this issue Jun 10, 2024 · 8 comments
Closed

[material-ui] Prototype pollution security vulnerabililty in @mui/utils #42607

rsellucian opened this issue Jun 10, 2024 · 8 comments
Assignees
@DiegoAndai
Labels
package: material-ui Specific to @mui/material package: utils (private) Specific to the private @mui/utils package status: expected behavior Does not imply the behavior is intended. Just that we know about it and can't work around it

Comments

@rsellucian
Copy link

rsellucian commented Jun 10, 2024
edited by github-actions bot
Loading

Steps to reproduce

Run a snyk scan on version v5.15.19 of MUI.

Current behavior

Snyk is reporting a high-priority prototype pollution issue in @mul/utils

https://security.snyk.io/vuln/SNYK-JS-MUIUTILS-7231125

Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-MUIUTILS-7231125] in @mui/utils@5.15.14
    introduced by @mui/lab@5.0.0-alpha.169 > @mui/utils@5.15.14 and 9 other path(s)
  This issue was fixed in versions: 6.0.0-alpha.9

This issue was addressed in MUI 6.0.0-alpha.9, (see conversation here), but it has not been backported to the latest release of 5.x (5.15.19).

Will this be addressed in version 5.x of MUI as well?

Expected behavior

No prototype pollution vulnerabilities detected.

Context

No response

Your environment

npx @mui/envinfo 
  System:
    OS: macOS 14.4.1
  Binaries:
    Node: 18.17.0 - ~/.nvm/versions/node/v18.17.0/bin/node
    npm: 9.6.7 - ~/.nvm/versions/node/v18.17.0/bin/npm
    pnpm: Not Found
  Browsers:
    Chrome: 125.0.6422.142
    Edge: 125.0.2535.92
    Safari: 17.4.1
  npmPackages:
    @emotion/react: 11.10.5 => 11.10.5 
    @emotion/styled: 11.10.5 => 11.10.5 
    @mui/base:  5.0.0-beta.40 
    @mui/core-downloads-tracker:  5.15.19 
    @mui/lab: 5.0.0-alpha.169 => 5.0.0-alpha.169 
    @mui/material: 5.15.5 => 5.15.5 
    @mui/private-theming:  5.15.14 
    @mui/styled-engine:  5.15.14 
    @mui/styles: 5.15.5 => 5.15.5 
    @mui/system:  5.15.15 
    @mui/types:  7.2.14 
    @mui/utils:  5.15.14 
    @types/react: 17.0.65 => 17.0.65 
    react: 17.0.2 => 17.0.2 
    react-dom: 17.0.2 => 17.0.2 
    typescript:  5.4.5 ```
</details>


**Search keywords**: security prototype pollution deepmerge
@rsellucian rsellucian added the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Jun 10, 2024
@DiegoAndai DiegoAndai self-assigned this Jun 10, 2024
@DiegoAndai DiegoAndai added the security Pull requests that address a security vulnerability label Jun 10, 2024
@DiegoAndai DiegoAndai mentioned this issue Jun 10, 2024
Merged
@DiegoAndai
Copy link
Member

Thanks for the report @rsellucian! I created a PR to cherry pick the fix to v5

@DiegoAndai DiegoAndai removed the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Jun 10, 2024
@rsellucian
Copy link
Author

@DiegoAndai Thank you for jumping on this so quickly.

@danilo-leal danilo-leal changed the title Prototype Pollution security vulnerabililty in @mui/utils (MUI v5) [material-ui] Prototype pollution security vulnerabililty in @mui/utils Jun 10, 2024
@danilo-leal danilo-leal added package: utils (private) Specific to the private @mui/utils package package: material-ui Specific to @mui/material labels Jun 10, 2024
@oliviertassinari
Copy link
Member

oliviertassinari commented Jun 10, 2024
edited
Loading

@tjcouch-sil could you flag https://security.snyk.io/vuln/SNYK-JS-MUIUTILS-7231125 as false? It has no reproductions, so would tend to confirm #41652 (comment).

@oliviertassinari oliviertassinari mentioned this issue Jun 10, 2024
Merged
@tjcouch-sil
Copy link
Contributor

@tjcouch-sil could you flag https://security.snyk.io/vuln/SNYK-JS-MUIUTILS-7231125 as false? It has no reproductions, so would tend to confirm #41652 (comment).

Unfortunately I don't have any direct access to be able to flag it directly, but I submitted a request for them to flag it as a false positive. Context here

@oliviertassinari oliviertassinari added status: expected behavior Does not imply the behavior is intended. Just that we know about it and can't work around it and removed security Pull requests that address a security vulnerability labels Jun 11, 2024
@oliviertassinari
Copy link
Member

@tjcouch-sil Ok, thanks

@tjcouch-sil tjcouch-sil mentioned this issue Jun 11, 2024
Closed
@tjcouch-sil
Copy link
Contributor

Snyk let me know they're investigating the report. I'll keep you updated!

@Peregrine42 Peregrine42 mentioned this issue Jun 12, 2024
Closed
@tjcouch-sil
Copy link
Contributor

Update: the issue is up to their R&D team to do further investigation.

@oliviertassinari
Copy link
Member

Ok, it was closed, back to normal 👍

SCR-20240617-tieu

https://security.snyk.io/vuln/SNYK-JS-MUIUTILS-7231125

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DiegoAndai DiegoAndai

Labels
package: material-ui Specific to @mui/material package: utils (private) Specific to the private @mui/utils package status: expected behavior Does not imply the behavior is intended. Just that we know about it and can't work around it
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@oliviertassinari @DiegoAndai @danilo-leal @rsellucian @tjcouch-sil