High Severity Vulnerability

[rajeshK88]

CVE-2021-3807 - High Severity Vulnerability

next-11.1.2.tgz (Root Library)
react-dev-overlay-11.1.2.tgz
strip-ansi-6.0.0.tgz
❌ ansi-regex-5.0.0.tgz (Vulnerable Library)

https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
https://nvd.nist.gov/vuln/detail/CVE-2021-3807

Can next.js team upgrade the library to
6.0.1: https://github.com/chalk/ansi-regex/releases/tag/v6.0.1

[thibautsabot]

Hello!

While you are absolutely right that there is a security vulnerability in the package, I think we should nuance its criticality.
ansi-regex is mostly used for for command-line tools, not in servers. One of chalk maintainer actually said :

The vulnerability itself is not major - unless you're allowing long AND unsanitized user input to hit the API directly, the vulnerability doesn't affect you.

To verify this, I used npm list ansi-regex on the canary branch of the Next.js repository.

Here are the results:

postcss-purgecss -> used within yargs -> terminal interface only.
@testing-library/react -> only in dev envs.
@types/jest -> only in dev envs.
@zeit/next-css-> used within chalk -> terminal interface only.
alex -> linting.
eslint -> linting.
jest -> only in dev envs.
lerna -> internal publish tools.
npmlog -> internal logs.
lint-staged -> linting.
postcss-trolling -> used within chalk -> terminal interface only.
release -> internal release mechanism.
ora -> terminal interface only.
wait-port -> used within chalk -> terminal interface only

TL;DR: The vulnerability may look scary but its application is very unlikely.
Next.js doesn't use this dependencies directly, it'd require all packages to upgrade to the latest version for the alert to disappear.

[thibautsabot]

As mentioned, every dependencies need to upgrade their version of ansi-regex and create a new release.
Only then, we will be able to upgrade these packages.

The Next.JS team can't realistically handle the update of all these deps (especially since some of them are devDependencies of dependencies..)

[Izook]

According the image scanning tool we're using (Aqua) the only package that would need to be updated would be the strip-ansi package from version @6.0.0 to @6.0.1 in the @next/react-dev-overlay. That seems to be the only package that is getting used in our production build that is triggering a warning.

All other uses of ansi-regex do not seem to be built into the final image and are not scanned or triggering a warning. If we could update just the strip-ansi dependency of the @next/react-dev-overlay soon and then update all other uses of ansi-regex that would be greatly appreciated!

It seems like the work was started here but suddenly closed: #29715 ? Is there something we can do to continue this effort?

[ijjk]

That PR was an initial attempt to see what all needs to be updated, feel free to update just that instance of the dependency in a separate PR!

[thibautsabot]

Hey @Izook a fix has been merged here: #29906 and should be available in a new canary version soon.

Edit: Check out https://github.com/vercel/next.js/releases/tag/v11.1.3-canary.70

[rajeshK88]

I see its fixed with current version 12.0.4 and eslint version 7.32.0. Thanks for fixing it. 👍