High severity vulnerability detected by audit in react-scripts 3.4.2 dependencies

[FredChauviere]

Edit from maintainers: this is a false positive.

See #9469 (comment).

Describe the bug

After installing last version (3.4.2) of react-scripts, I got a high severity vulnerability (Remote Code Execution) from serialize-javascript (2.1.2) from terser-webpack-plugin (2.3.5), that is a dependency of react-scripts (3.4.2)

Did you try recovering your dependencies?

Yes
npm --version
6.14.7

Which terms did you search for in User Guide?

NA

Environment

Environment Info:

current version of create-react-app: 3.4.1
running from C:\Users\fcha\AppData\Roaming\npm-cache_npx\16340\node_modules\create-react-app

System:
OS: Windows 10 10.0.18363
CPU: (8) x64 Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
Binaries:
Node: 11.10.0 - C:\Program Files\nodejs\node.EXE
Yarn: Not Found
npm: 6.14.7 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: 44.18362.449.0
Internet Explorer: 11.0.18362.1
npmPackages:
react: ^16.13.1 => 16.13.1
react-dom: ^16.13.1 => 16.13.1 (15.6.1)
react-scripts: ^3.4.2 => 3.4.2
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

NA

Expected behavior

No vulnerabilities detected by audit

Actual behavior

High severity vulnerabilities detected by audit

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance           

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of react-scripts

Path react-scripts > terser-webpack-plugin > serialize-javascript

More info https://npmjs.com/advisories/1548

found 1 high severity vulnerability in 2114 scanned packages
1 vulnerability requires manual review. See the full report for details.

Reproducible demo

NA

[charkour]

I am experiencing the same high severity vulnerability. Does anyone have suggestions on the best way to solve this issue? I do not have much experience with manually fixing npm vulnerabilities. Thanks

[knivesschau]

I am experiencing the same issue as well, tried manually installing the latest versions of packages serialize-javascript and terser-webpack-plugin as a fix, but still running into the same high vulnerability notification on audit.

npm version is 6.14.5

[Pilipo]

I am experiencing the same issue.

npm --version
6.14.7

react-scripts: 3.4.2

[netanelmaroof]

Experiencing the same vulnerability - running npm version 6.14.7

[hoffmang9]

Such things always seem to happen on the day of a release. Us too...

[thien-do]

I believe the best way to solve this is for react-scripts to upgrade its terser-webpack-plugin to version 3 or 4 (both use a version of serialize-javascript that is free from this issue)

@charkour A temporary workaround (if you need to get pass your CI or something) is to manually override the version of either terser-webpack-plugin or serialize-javascript. At the moment I don't know if there is any compatible issue that could happen but at least the changlog can be found here

@knivesschau Manually install wouldn't work because (under npm's view) react-scripts still require the other version, thus both versions will exist. What should be done is to override the version inside react-scripts' dependencies (in package-lock, for example)

[knivesschau]

@dvkndn D'oh! Of course. Thank you! I will give that a try and see if it resolves the issue.

[knivesschau]

@dvkndn Thanks again! Overriding the version manually in package-lock worked for me.

[ondrejsudoma]

Please let me know if you find out solution!

I tried updating manually serialize-javascript to 4.0.0 which didn't help (which now I understand why). Waiting for real solution.

[jcamato]

Getting the same vulnerability here

[tdowgielewicz]

This is what has help in my CI.

WARNNING!
Please note that this really overrides your every version of serialize-javascript to 3.1.0 so you may want to see what else you will brake.

Before force resolutions

npm ls serialize-javascript 

npm install npm-force-resolutions

In package.json add resolutions to root object

"name": xxx,
"dependencies": {...},
...
"resolutions": {
    "serialize-javascript": "3.1.0"
  },

then run npm-force-resolutions
npx npm-force-resolutions

packages should now install with fixed version

npm install
...
found 0 vulnerabilities

[Pieter-Uys]

@tdowgielewicz I think you should put this on the top of your post

WARNNING!
Please note that this really overrides your every version of serialize-javascript to 3.1.0 so you may want to see what else you will brake.

Before force resolutions

npm ls serialize-javascript

[tomasdisk]

Same issue for me npm ls serialize-javascript

app-front@0.0.1 /tomasdisk/app-front
└─┬ react-scripts@3.4.2
     ├─┬ terser-webpack-plugin@2.3.5
     │ └── serialize-javascript@2.1.2 

The PR #9470 should solve the vulnerability

[jhammersholt]

Same issue for me, and the ironi of this is hilarious

3.4.2 was realeased to counter another vulnerability

v3.4.2 release bumps webpack-dev-server to a version for which npm audit does not report a vulnerability. Note that this vulnerability did not affect Create React App projects, so this change is only necessary to satisfy auditing tools.

[gaearon]

There is no actual vulnerability here.

If you read the advisory, the attack has to do with having specially crafted object in the source. However, Terser Webpack Plugin uses serialize-javascript for disk caching. If the attacker can somehow "poison" the source code of your app, you have much bigger problems anyway. In other words, this vulnerability applies to the scenarios where serialize-javascript is used at runtime with untrusted input, but here it is used at build time with trusted input (your own source code).

[gabriel-peracio]

@gaearon remember to do a release on github too :)

I just saw this version bump reported via npm-check-updates and came here to see what was going on (I have github set up to alert me on releases to this repo), but there was no release, then I saw that npm had the new one

[gaearon]

Note that even though there's no actual vulnerability, we'd still want the warning to go away. I explained the next steps in #9470 (review) if you'd like to help move that forward.

[gaearon]

Fixed the false positive in react-scripts@3.4.3.

[sathninduk]

Same issue here

npm -v
6.14.13

react-scripts V4.0.3

[sharunrajeev]

Same issue for me too
npm version 7.13.0
react script v4.0.3