react-scripts 5.0.1 library having vulnerable transitive libraries

[NarahariTagili-Eaton]

We are using react-scripts 5.0.1 library, under this library having vulnerable transitive libraries

1. terser/5.13.1

2. css-whatv3.4.2

3. nth-check/1.0.2

4. terser/5.13.1 is before 4.8.1, from 5.0.0, and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions and CVE: CVE-2022-25858(BDSA-2022-2526)

5. css-whatv3.4.2 is incorrectly implements Linear Time Complexity. An attacker can take advantage of this in order to overload system resources and cause a denial-of-service (DoS) and CVE : BDSA-2021-1962

6. nth-check/1.0.2 is vulnerable to Inefficient Regular Expression Complexity and CVE:
   CVE-2021-3803(BDSA-2021-2906)

We would expect to upgrade the react-scripts 5.0.1 to the latest version with

1. terser/5.13.1 to latest version terser/5.15.1
2. css-whatv3.4.2 to latest version css-what v6.1.0
3. nth-check/1.0.2 to latest version nth-check/2.1.1

using vulnerable react-scripts 5.0.1 makes our product makes vulnerable please make upgrade the react-scripts 5.0.1 to the latest version with transitive dependencies security patches

[skialpine]

While you are at it here are some more dependencies that are vulnerable and should get updated.
CVE-2022-3517
react-scripts-5.0.1.tgz (Root Library)
react-dev-utils-12.0.1.tgz
recursive-readdir-2.2.2.tgz
❌ minimatch-3.0.4.tgz (Vulnerable Library)
CVE-2022-37599
react-scripts-5.0.1.tgz (Root Library)
file-loader-6.2.0.tgz
❌ loader-utils-2.0.2.tgz (Vulnerable Library)

[enema17484]

Is there a timeframe for when the PR will be pushed to update the dependent vulnerable libraries?

[sanasreenivasulu]

All the vulnerable issues come from the dependencies packages which are outdated, is there any update on the vulnerable fix?

[rdzidziguri]

I assume CRA is dead now, as nobody responded to CVE-related topics for more than a week.

[hakhan88]

any update on this ? help needed to fix the vunerabilities !!

[thgreasi]

FWIW, The workaround I ended up for file-loader to unblock us was to use react-app-rewired and add the following in our config-overrides.js

try {
	const oneOfRule = config.module.rules.find((rule) =>
		Array.isArray(rule.oneOf),
	);
	const svgRule = oneOfRule.oneOf.find(
		(r) => r.test.toString() === '/\\.svg$/',
	);
	svgRule.type = 'asset';
	delete svgRule.use;
} catch (err) {
	console.error(
		'Error while applying config-overrides. CRA has updated the default webpack config.',
		err,
	);
	throw err;
}

[iendjinn]

See this pinned issued here, I don't think these represent actual vulnerabilities.

[mark-wiemer]

Yes, #11174 addresses this exactly and provides resolution steps.

[SangaleSadashiv]

I am also getting the vulnerabilities due to the react-scripts package.
Here are the list:

webpack-5.5.0
nth-check-1.0.2
loader-utils-3.2.1
semver-7.5.0
css-what-3.4.2
postcss-8.4.26
mime-1.3.2

Please do consider upgrading these vulnerable packages that are in the dependencies of the react-scripts package.

[adrian-crisan625]

Still getting vulnerabilities with latest react-scripts
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr

postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - GHSA-7fh5-64p2-3v2j

The only fix available from npm audit command is to downgrade react-scripts to version 3.0.1, which is not acceptable

[myyk]

I think at this point with no release in over 2 years, we can assume this project is probably abandoned. I migrated one project to Vite another to NextJS. Vite migration for a larger project wasn't too hard (a couple hours total).

I'm thankful for this project and its maintainers but I think it's time to move on until they come back and maintain this.