Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current release of @vue/cli-service is affected by CVE-2021-23368 Regular Expression Denial of Service (ReDoS) #6481

Closed
undergroundwires opened this issue May 16, 2021 · 1 comment
Closed

Current release of @vue/cli-service is affected by CVE-2021-23368 Regular Expression Denial of Service (ReDoS) #6481

undergroundwires opened this issue May 16, 2021 · 1 comment

Comments

@undergroundwires
Copy link

undergroundwires commented May 16, 2021
edited
Loading

Version

4.5.13

Reproduction link

https://github.com/undergroundwires/privacy.sexy

Environment info

Environment Info:

  System:
    OS: macOS 11.2.3
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 14.1.0 - /usr/local/bin/node
    Yarn: Not Found
    npm: 7.13.0 - /usr/local/bin/npm
  Browsers:
    Chrome: Not Found
    Edge: Not Found
    Firefox: 88.0.1
    Safari: 14.0.3
  npmPackages:
    @fortawesome/vue-fontawesome: ^2.0.2 => 2.0.2 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.6 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.13 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ^4.5.13 => 4.5.13 
    @vue/cli-plugin-router:  4.5.13 
    @vue/cli-plugin-typescript: ^4.5.13 => 4.5.13 
    @vue/cli-plugin-unit-mocha: ^4.5.13 => 4.5.13 
    @vue/cli-plugin-vuex:  4.5.13 
    @vue/cli-service: ^4.5.13 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/test-utils: 1.2.0 => 1.2.0 
    @vue/web-component-wrapper:  1.3.0 
    typescript: ^4.2.4 => 4.2.4 
    vue: ^2.6.12 => 2.6.12 
    vue-class-component: ^7.2.6 => 7.2.6 
    vue-cli-plugin-electron-builder: ^2.0.0 => 2.0.0 
    vue-cli-webpack:  1.0.0 
    vue-hot-reload-api:  2.3.4 
    vue-js-modal: ^2.0.0-rc.6 => 2.0.0-rc.6 
    vue-loader:  15.9.7 (16.2.0)
    vue-property-decorator: ^9.1.2 => 9.1.2 
    vue-resize:  1.0.1 
    vue-style-loader:  4.1.2 
    vue-template-compiler: ^2.6.12 => 2.6.12 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:
    @vue/cli: 4.5.10

Steps to reproduce

  • Clone any repo (I tested on privacy.sexy)
  • Run npm install
  • Run npm audit

What is expected?

No vulnerabilities from postcss or npm audit fix in a working state.

What is actually happening?

npm audit is failing

here's the npm audit report 
  # npm audit report
  
  postcss  7.0.0 - 8.2.9
  Severity: moderate
  Regular Expression Denial of Service - https://npmjs.com/advisories/1693
  fix available via `npm audit fix --force`
  Will install @vue/[email protected], which is a breaking change
  node_modules/postcss
    @intervolga/optimize-cssnano-plugin  >=1.0.6
    Depends on vulnerable versions of postcss
    node_modules/@intervolga/optimize-cssnano-plugin
    @vue/component-compiler-utils  >=2.4.0
    Depends on vulnerable versions of postcss
    node_modules/@vue/component-compiler-utils
      @vue/cli-service  >=3.1.0
      Depends on vulnerable versions of @vue/component-compiler-utils
      Depends on vulnerable versions of autoprefixer
      Depends on vulnerable versions of css-loader
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of postcss-loader
      node_modules/@vue/cli-service
      vue-loader  15.5.0 - 15.9.7
      Depends on vulnerable versions of @vue/component-compiler-utils
      node_modules/vue-loader
    autoprefixer  9.0.0 - 9.8.6
    Depends on vulnerable versions of postcss
    node_modules/autoprefixer
    css-declaration-sorter  4.0.0 - 5.1.2
    Depends on vulnerable versions of postcss
    node_modules/css-declaration-sorter
    css-loader  2.0.0 - 4.3.0
    Depends on vulnerable versions of postcss
    node_modules/@vue/cli-service/node_modules/css-loader
    cssnano  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
    Depends on vulnerable versions of postcss
    node_modules/cssnano
    cssnano-preset-default  <=4.0.0-rc.2 || 4.0.1 - 4.0.8
    Depends on vulnerable versions of cssnano-util-raw-cache
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-convert-values
    node_modules/cssnano-preset-default
    cssnano-util-raw-cache  >=4.0.1
    Depends on vulnerable versions of postcss
    node_modules/cssnano-util-raw-cache
    icss-utils  4.0.0 - 4.1.1
    Depends on vulnerable versions of postcss
    node_modules/icss-utils
      postcss-modules-local-by-default  2.0.0 - 4.0.0-rc.4
      Depends on vulnerable versions of icss-utils
      Depends on vulnerable versions of postcss
      node_modules/postcss-modules-local-by-default
      postcss-modules-values  2.0.0 - 4.0.0-rc.5
      Depends on vulnerable versions of icss-utils
      Depends on vulnerable versions of postcss
      node_modules/postcss-modules-values
    postcss-calc  6.0.2 - 7.0.5
    Depends on vulnerable versions of postcss
    node_modules/postcss-calc
    postcss-colormin  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
    Depends on vulnerable versions of postcss
    node_modules/postcss-colormin
    postcss-convert-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-convert-values
    postcss-discard-comments  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-discard-comments
    postcss-discard-duplicates  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-discard-duplicates
    postcss-discard-empty  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-discard-empty
    postcss-discard-overridden  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-discard-overridden
    postcss-loader  3.0.0 - 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-loader
    postcss-merge-longhand  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
    Depends on vulnerable versions of postcss
    node_modules/postcss-merge-longhand
    postcss-merge-rules  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
    Depends on vulnerable versions of postcss
    node_modules/postcss-merge-rules
    postcss-minify-font-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-minify-font-values
    postcss-minify-gradients  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-minify-gradients
    postcss-minify-params  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-minify-params
    postcss-minify-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-minify-selectors
    postcss-modules-extract-imports  2.0.0
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-extract-imports
    postcss-modules-scope  2.0.0 - 2.2.0
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-scope
    postcss-normalize-charset  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-charset
    postcss-normalize-display-values  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-display-values
    postcss-normalize-positions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-positions
    postcss-normalize-repeat-style  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-repeat-style
    postcss-normalize-string  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-string
    postcss-normalize-timing-functions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-timing-functions
    postcss-normalize-unicode  <=4.0.0-rc.2 || 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-unicode
    postcss-normalize-url  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-url
    postcss-normalize-whitespace  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-normalize-whitespace
    postcss-ordered-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-ordered-values
    postcss-reduce-initial  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
    Depends on vulnerable versions of postcss
    node_modules/postcss-reduce-initial
    postcss-reduce-transforms  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
    Depends on vulnerable versions of postcss
    node_modules/postcss-reduce-transforms
    postcss-svgo  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
    Depends on vulnerable versions of postcss
    node_modules/postcss-svgo
    postcss-unique-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
    Depends on vulnerable versions of postcss
    node_modules/postcss-unique-selectors
    stylehacks  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
    Depends on vulnerable versions of postcss
    node_modules/stylehacks
  
  45 moderate severity vulnerabilities
  
  To address issues that do not require attention, run:
    npm audit fix
  
  To address all issues (including breaking changes), run:
    npm audit fix --force
npm ls postcss report 
  └─┬ @vue/[email protected]
    ├─┬ @intervolga/[email protected]
    │ ├─┬ [email protected]
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ ├── [email protected] deduped
    │ │ │ └─┬ [email protected]
    │ │ │   └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ ├─┬ [email protected]
    │ │ │ └── [email protected] deduped
    │ │ └── [email protected] deduped
    │ └── [email protected]
    ├─┬ @vue/[email protected]
    │ └── [email protected] deduped
    ├─┬ [email protected]
    │ └── [email protected] deduped
    ├─┬ [email protected]
    │ ├─┬ [email protected]
    │ │ └── [email protected] deduped
    │ ├─┬ [email protected]
    │ │ └── [email protected] deduped
    │ ├─┬ [email protected]
    │ │ └── [email protected] deduped
    │ ├─┬ [email protected]
    │ │ └── [email protected] deduped
    │ ├─┬ [email protected]
    │ │ └── [email protected] deduped
    │ └── [email protected] deduped
    ├─┬ [email protected]
    │ └── [email protected] deduped
    ├─┬ [email protected]
    │ └── [email protected] deduped
    └─┬ [email protected]
      └─┬ [email protected]
        ├─┬ [email protected]
        │ └── [email protected] deduped
        ├─┬ [email protected]
        │ └── [email protected] deduped
        ├─┬ [email protected]
        │ └── [email protected] deduped
        ├─┬ [email protected]
        │ └── [email protected] deduped
        ├─┬ [email protected]
        │ └── [email protected] deduped
        └── [email protected]

https://www.npmjs.com/advisories/1693
https://nvd.nist.gov/vuln/detail/CVE-2021-23368
@acnicholls acnicholls mentioned this issue May 17, 2021
Open
@haoqunjiang
Copy link
Member

Duplicate of #6467
See #6467 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haoqunjiang @undergroundwires