Current release of @vue/cli-service is affected by CVE-2021-27290 Regular Expression Denial of Service in ssri

[wallyaltman]

Version

4.5.12

Environment info

Environment Info:

  System:
    OS: Linux 5.11 Arch Linux
    CPU: (8) x64 Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
  Binaries:
    Node: Not Found
    Yarn: 1.22.10 - /tmp/yarn--1618510365267-0.6910111220689819/yarn
    npm: 7.8.0 - /usr/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: 87.0
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  3.12.1 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli: ^4.5.4 => 4.5.11 
    @vue/cli-overlay:  4.5.12 
    @vue/cli-plugin-babel: ^3.5.0 => 3.12.1 
    @vue/cli-plugin-eslint: ^3.5.0 => 3.12.1 
    @vue/cli-plugin-router:  4.5.12 
    @vue/cli-plugin-vuex:  4.5.12 
    @vue/cli-service: ^4.5.4 => 4.5.12 
    @vue/cli-shared-utils:  4.5.11 (3.12.1, 4.5.12)
    @vue/cli-ui:  4.5.11 
    @vue/cli-ui-addon-webpack:  4.5.11 
    @vue/cli-ui-addon-widgets:  4.5.11 
    @vue/compiler-core:  3.0.7 
    @vue/compiler-dom:  3.0.7 
    @vue/compiler-sfc:  undefined (3.0.7)
    @vue/compiler-ssr:  3.0.7 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.0.7 
    @vue/runtime-core:  3.0.7 
    @vue/runtime-dom:  3.0.7 
    @vue/shared:  3.0.7 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^5.0.0 => 5.2.3 (4.7.1)
    typescript:  3.9.9 
    vue: ^2.6.10 => 2.6.12 (3.0.7)
    vue-cli-plugin-apollo:  0.21.3 
    vue-cli-plugin-vuetify: latest => 2.0.7 
    vue-cli-plugin-vuetify-essentials: latest => 0.8.3 
    vue-codemod:  0.0.4 
    vue-eslint-parser:  5.0.0 (2.0.3)
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.6 (16.2.0)
    vue-style-loader:  4.1.3 
    vue-template-compiler: 2.6.12 => 2.6.12 
    vue-template-es2015-compiler:  1.9.1 
    vuetify: ^2.1.11 => 2.3.14 
    vuetify-loader: ~>1.4.2 => 1.4.4 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

• Require the latest stable version of the @vue/cli-service package in any app.
• Run yarn audit.

What is expected?

The latest version of the software does not report any vulnerabilities.

What is actually happening?

The latest version of the software has two vulnerabilities from ssri, one from a direct dependency on the package.

---

My pipeline broke today once this vulnerability finally made it into the audit database.

https://www.npmjs.com/advisories/565

[undergroundwires]

My pipeline has been failing since yesterday and I tried with both 4.5.11 and 4.5.12 and both fails. I reproduced it on privacy.sexy with npm install and then npm audit after cloning.

here's the npm audit report

# npm audit report

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix --force`
Will install @vue/cli-service@4.1.1, which is a breaking change
node_modules/@vue/cli-service/node_modules/ssri
node_modules/ssri
  @vue/cli-service  4.0.0-alpha.0 - 4.5.12
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of terser-webpack-plugin
  node_modules/@vue/cli-service
  cacache  10.0.4 - 11.0.0 || 13.0.0 - 14.0.0
  Depends on vulnerable versions of ssri
  node_modules/@vue/cli-service/node_modules/cacache
    terser-webpack-plugin  2.1.1 - 2.3.8
    Depends on vulnerable versions of cacache
    node_modules/@vue/cli-service/node_modules/terser-webpack-plugin

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

It seems to be caused by dependencies to ssri directly and through webpack-contrib/terser-webpack-plugin and cacache.

FYI ssri has backported the fix to 6.0.2

[jbo023]

yeah we have the same problem, also see npm/ssri#20

[gerbenvandekraats]

Same problem, and similar npm audit report as @undergroundwires. Is it safe to proceed creating a project with these warnings?

[19Topgun93]

Same here. I tried to install ssri with npm from my own. But the vulnerabilities are the same.

[19Topgun93]

I Have now 3 ssri installed. 6.0.1 7.1.0 7.0.0 and 8.0.1.

[dawwad]

package.json :

"scripts": {
    "preinstall": "npx npm-force-resolutions"
}
.
.
.
.
  "resolutions": {
    "yargs-parser": "^18.1.2",
    "ssri": "8.0.1"
  },

[gerbenvandekraats]

@dawwad Thank you. I tried, but no luck:

$ npm ls ssri
└─┬ @vue/cli-service@4.5.12
  ├─┬ copy-webpack-plugin@5.1.2
  │ └─┬ cacache@12.0.4
  │   └── ssri@6.0.2
  ├── ssri@7.1.0
  └─┬ terser-webpack-plugin@2.3.8
    └─┬ cacache@13.0.1
      └── ssri@7.1.0 deduped

I removed yargs-parser from resolutions because i don't think it's part of this solution? Or didn't i understand correctly and do i need to include that as well?

[dawwad]

@dawwad Thank you. I tried, but no luck:

$ npm ls ssri
└─┬ @vue/cli-service@4.5.12
  ├─┬ copy-webpack-plugin@5.1.2
  │ └─┬ cacache@12.0.4
  │   └── ssri@6.0.2
  ├── ssri@7.1.0
  └─┬ terser-webpack-plugin@2.3.8
    └─┬ cacache@13.0.1
      └── ssri@7.1.0 deduped

I removed yargs-parser from resolutions because i don't think it's part of this solution? Or didn't i understand correctly and do i need to include that as well?

hey, @gerbenvandekraats, regarding yargs-yarser i had a low vulnerability as well, but yes it's not part of this solution.
after adding the preinstall script and resolutions, an npm install needs to be triggered. Post that I checked npm audit, and I got 0 vulnerabilities...

     === npm audit security report ===                        
                                                                                
found 0 vulnerabilities

this is my npm ls ssri

├─┬ @storybook/addon-docs@6.2.9
│ └─┬ @storybook/builder-webpack4@6.2.9
│   └─┬ terser-webpack-plugin@3.1.0
│     └─┬ cacache@15.0.6
│       └── ssri@8.0.1 
└─┬ @vue/cli-service@4.5.12
  ├─┬ copy-webpack-plugin@5.1.2
  │ └─┬ cacache@12.0.4
  │   └── ssri@8.0.1 
  ├── ssri@8.0.1 
  └─┬ terser-webpack-plugin@2.3.8
    └─┬ cacache@13.0.1
      └── ssri@8.0.1 

[clauda]

hi guys, anyone looking at this?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

[sodatea]

The ssri issue is fixed in v4.5.13