High severity vulnerabilities introduced in your package

[paimon0715]

Hi ,@darrachequesne @rauchg , I found 2 vulnerabilities in your package by accident:

Issue Description

When I build my project, I note that engine.io-client@3.3.2 directly depends on xmlhttprequest-ssl@1.5.5. However, 2 vulnerabilities (high severity) CVE-2021-31597 and CVE-2020-28502 are detected in package xmlhttprequest-ssl<1.6.1. And I noticed that these vulnerabilities don’t exist in engine.io-client(>=1.8.6 <2.0.0, >=3.5.2 <4.0.0, >=4.1.4).

As far as I am aware, engine.io-client@3.3.2 is so popular that a lot of projects still depend on it (176,318 downloads per week, and about 872 downstream projects, e.g.,uppy 1.30.0, @uppy/transloadit 1.6.26, react-cosmos 5.6.3, react-cosmos-shared2 5.6.3, @uppy/robodog 1.10.12, @robostack/amphion@0.1.25, @robostack/zethus@0.1.30, auto-ros@0.1.2, etc.). In this case, issues CVE-2021-31597 and CVE-2020-28502 can be propagated into these downstream projects and expose security threats to them.

As you can see, engine.io-client@3.3.2 is introduced into the above projects via the following package dependency paths:
(1)@robostack/amphion@0.1.25 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
(2)@robostack/zethus@0.1.30 ➔ amphion@0.1.23 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
(3)auto-ros@0.1.2 ➔ roslib@1.1.0 ➔ socket.io@2.2.0 ➔ socket.io-client@2.2.0 ➔ engine.io-client@3.3.2 ➔ xmlhttprequest-ssl@1.5.5
........

Although these vulnerabilities don’t exist in _engine.io-client(>=1.8.6 <2.0.0, >=3.5.2 <4.0.0, >=4.1.4), the downstream projects cannot easily upgrade or degrade engine.io-client from version 3.3.2 to these safe versions :
The projects such as roslib which introduced engine.io-client@3.3.2 are not maintained anymore. And these unmaintained packages can neither upgrade or degrade engine.io-client nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to remove the vulnerabilities from engine.io-client@3.3.2?

Suggested Solution

Maybe releasing a new patched version with the updated dependency is the simplest way to resolve the issue. Since these unactive projects set a version constaint 3.3.* for engine.io-client on the above vulnerable dependency paths, if you can kindly remove the vulnerabilities from 3.3.2 and release a new patched version engine.io-client@3.3.3, such a vulnerability patch can be automatically propagated into the 872 affected downstream projects.

In engine.io-client@3.3.3, you can kindly try to perform the following upgrade:
xmlhttprequest-ssl ~1.5.4 ➔ ~1.6.1;
Note:
xmlhttprequest-ssl@1.6.1 (>=1.6.1) has fixed the vulnerabilities CVE-2021-31597 and CVE-2020-28502.
If you have any other ways, it's kind of you to share them with me.

Thanks again for your contributions .^_^

Best regards,
Paimon

[darrachequesne]

@paimon0715 thanks for the very detailed report 👍

We've published engine.io-client@3.3.3, which includes xmlhttprequest-ssl@~1.6.3.

[paimon0715]

@darrachequesne Thanks for your understanding and help!

[paimon0715]

@darrachequesne Such a fix is the additional efforts that npm community brings to you.
The vulnerability patch in engine.io-client@3.3.3 can be automatically propagated into 872 projects.
Literally, it indeed benefits a huge amount of downstream users.

Thanks again.