Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#CVE-2022-37620 in 1.10.3 (html-minifier@4.0.0 dependency) #1092

Closed
TomaszG opened this issue Jan 12, 2024 · 3 comments
Closed

#CVE-2022-37620 in 1.10.3 (html-minifier@4.0.0 dependency) #1092

TomaszG opened this issue Jan 12, 2024 · 3 comments

Comments

@TomaszG
Copy link

TomaszG commented Jan 12, 2024

Summary
ReDoS vulnerability has been found in html-minifier@4.0.0, which is a transitive dependency of the mailer package.

Details
Vulnerability information: https://nvd.nist.gov/vuln/detail/CVE-2022-37620
mjml package ticket: mjmlio/mjml#2802
html-minifier package ticket: kangax/html-minifier#1135

Unfortunately, the latter one doesn't seem to be maintained anymore.

Dependency tree:

@nestjs-modules/mailer 1.10.3
└─┬ mjml 4.14.1
  ├─┬ mjml-cli 4.14.1
  │ ├── html-minifier 4.0.0
  │ └─┬ mjml-core 4.14.1
  │   └── html-minifier 4.0.0
  ├─┬ mjml-core 4.14.1
  │ └── html-minifier 4.0.0
  └─┬ mjml-preset-core 4.14.1
    ├─┬ mjml-accordion 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-body 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-button 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-carousel 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-column 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-divider 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    └─┬ mjml-group 4.14.1
      └─┬ mjml-core 4.14.1
        └── html-minifier 4.0.0
@juandav
Copy link
Member

juandav commented Feb 24, 2024

It should be resolved in mailer version 1.11.0. If there are any other issues, please do not hesitate to let me know

@juandav juandav closed this as completed Feb 24, 2024
@TomaszG
Copy link
Author

TomaszG commented Apr 22, 2024

@juandav, this is still valid in 1.11.2:

dependencies:
@nestjs-modules/mailer 1.11.2
└─┬ mjml 4.15.3
  ├─┬ mjml-cli 4.15.3
  │ ├── html-minifier 4.0.0
  │ └─┬ mjml-core 4.15.3
  │   └── html-minifier 4.0.0
  ├─┬ mjml-core 4.15.3
  │ └── html-minifier 4.0.0
  └─┬ mjml-preset-core 4.15.3
    ├─┬ mjml-accordion 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-body 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-button 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-carousel 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-column 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-divider 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    └─┬ mjml-group 4.15.3
      └─┬ mjml-core 4.15.3
        └── html-minifier 4.0.0

@sirmonin
Copy link

@juandav +1. Opened a pull request. I suggest moving the mjml into optional dependencies, since it is simply just an optional adapter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants