Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM audit fails for anything depending on aws-crt and axios / CVE-2024-39338 #6381

Open
3 tasks done
terozio opened this issue Aug 13, 2024 · 2 comments
Open
3 tasks done

NPM audit fails for anything depending on aws-crt and axios / CVE-2024-39338 #6381

terozio opened this issue Aug 13, 2024 · 2 comments
Assignees
@aBurmeseDev
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@terozio
Copy link

terozio commented Aug 13, 2024
edited
Loading

Checkboxes for prior research

Describe the bug

npm audit fails when you depend on packages which use aws-crt, because aws-crt depends on a vulnerable version of axios.

CVE for axios: GHSA-8hc4-vh64-cxmj

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.10.0

Reproduction Steps

npm install @aws-sdk/client-dynamodb

npm audit

npm ls axios

├─┬ @aws-sdk/[email protected]
│ └─┬ @aws-sdk/[email protected]
│   └─┬ [email protected]
│     └── [email protected]

Observed Behavior

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
  aws-crt  >=1.19.0
  Depends on vulnerable versions of axios
  node_modules/aws-crt

2 high severity vulnerabilities

Expected Behavior

Expect to have no vulnerabilities.

Possible Solution

No response

Additional Information/Context

Issue in axios repository: axios/axios#6463
@terozio terozio added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 13, 2024
@terozio terozio changed the title NPM audit fails for anything depending on aws-crt and axios NPM audit fails for anything depending on aws-crt and axios / CVE-2024-39338 Aug 13, 2024
@aBurmeseDev aBurmeseDev self-assigned this Aug 13, 2024
@aBurmeseDev
Copy link
Member

Hi @terozio - thanks for reporting.

I'm reaching out to AWS CRT team to address this. Upon checking the current version of axios used in aws-crt, it's specified as ^1.7.2, which means it should be compatible with versions up to the latest patch release.

In the meantime, while we wait for the aws-crt maintainers to address this vulnerability, you can update the axios version in your project's package-lock.json file to the latest patched version (1.7.4), which should resolve the vulnerability.

For those who come across this issue, the recommended solution is to manually update the axios version in your package-lock.json file to 1.7.4 until the aws-crt maintainers release an updated version with a non-vulnerable axios dependency.

@aBurmeseDev aBurmeseDev added p2 This is a standard priority issue response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 13, 2024
@aBurmeseDev aBurmeseDev mentioned this issue Aug 13, 2024
Closed
@jmklix jmklix mentioned this issue Aug 13, 2024
Closed
@jmklix
Copy link
Member

jmklix commented Aug 16, 2024

aws-crt-nodejs was updated in this PR: awslabs/aws-crt-nodejs#571
When this sdk updates it's dependency of aws-crt-nodejs to v1.21.5, then this vulnerability will be patched.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aBurmeseDev aBurmeseDev

Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmklix @terozio @aBurmeseDev