Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-27290 in react-scripts due to using old version of webpack #10699

Open
alexross1988IBM opened this issue Mar 17, 2021 · 8 comments
Open

CVE-2021-27290 in react-scripts due to using old version of webpack #10699

alexross1988IBM opened this issue Mar 17, 2021 · 8 comments
Labels
issue: bug report needs triage stale

Comments

@alexross1988IBM
Copy link

Describe the bug

CVE-2021-27290

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Looking at https://github.com/facebook/create-react-app/blob/master/packages/react-scripts/package.json it pulls in webpack @ 4.44.2 which ends up with this tree:

  ┬ react-scripts@4.0.3
  ├─┬ terser-webpack-plugin@4.2.3
  │ └─┬ cacache@15.0.5
  │   └── ssri@8.0.1 
  └─┬ webpack@4.44.2
    └─┬ terser-webpack-plugin@1.4.5
      └─┬ cacache@12.0.4
        └── ssri@6.0.1

Moving to the latest webpack currently 5.26.2 will fix this.
@candrews candrews mentioned this issue Mar 18, 2021
Closed
@candrews
Copy link

Issue reported to Webpack at webpack/webpack#12926

@vparames86
Copy link

How difficult is to move react-scripts to webpack 5?

@sgarza-ksm
Copy link

react-script to webpack 5 sounds like the move

@djmitche
Copy link

djmitche commented Apr 7, 2021

Webpack 5 is #9994. Looks like "very difficult" but in progress.

@yyfearth
Copy link

yyfearth commented Apr 8, 2021

react-script to webpack 5 sounds like the move
Webpack 5 is #9994. Looks like "very difficult" but in progress.

Move to webpack 5 will be a major version update like CRA 5, which will cause breaking changes.

I think CRA definitely need to move, but may need more time.

So I think we should still upgrade these dependencies in CRA 4 if anyone have time to create a PR.

@nj314
Copy link

nj314 commented Apr 26, 2021

Per SNYK-JS-SSRI-1246392, this is resolved by bugfix releases 6.0.2 and 8.0.1 of ssri. Run npm upgrade or rebuild package-lock.json to pick up the latest bugfix versions automatically. While I too would love to see a webpack 5-compatible react-scripts, fixing this particular vuln can be done without a react-scripts release.

@thediveo
Copy link

any news on this, as grype is still detecting this one, even when resolving ssri to ^8.0.1?

@stale
Copy link

stale bot commented Jan 9, 2022

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

@stale stale bot added the stale label Jan 9, 2022
@pickworth pickworth mentioned this issue Jun 22, 2022
Open
@avdkishore avdkishore mentioned this issue Nov 27, 2023
Open
@marcusrc marcusrc mentioned this issue Nov 27, 2023
Open
@dineshvgp dineshvgp mentioned this issue Nov 27, 2023
Open
@saurabharch saurabharch mentioned this issue Nov 27, 2023
Open
This was referenced Nov 28, 2023
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug report needs triage stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@djmitche @candrews @yyfearth @nj314 @thediveo @alexross1988IBM @vparames86 @sgarza-ksm