Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability found in fast-xml-parser #1414

Closed
reggieWayflyer opened this issue Aug 8, 2024 · 3 comments · Fixed by #1416
Closed

Security vulnerability found in fast-xml-parser #1414

reggieWayflyer opened this issue Aug 8, 2024 · 3 comments · Fixed by #1416
Labels
bug Something isn't working

Comments

@reggieWayflyer
Copy link

Bug description

It looks like [email protected] has a security vulnerability within it's @aws-sdk/** dependency fast-xml-parser.

Within fast-xml-parser a vulnerability to ReDOS exists on currency.js (discovered by Gauss Security Labs R&D team).

A quick run of pnpm why fast-xml-parser outlines where it's usage lies.

            **└── fast-xml-parser 4.2.5**
dependencies:
@datadog/datadog-ci 2.41.0
└─┬ @aws-sdk/client-cloudwatch-logs 3.556.0
  ├─┬ @aws-sdk/client-sts 3.556.0
  │ ├─┬ @aws-sdk/core 3.556.0
  │ │ └── fast-xml-parser 4.2.5
  │ └─┬ @aws-sdk/credential-provider-node 3.556.0 peer
  │   ├─┬ @aws-sdk/credential-provider-ini 3.556.0
  │   │ └─┬ @aws-sdk/credential-provider-sso 3.556.0
  │   │   ├─┬ @aws-sdk/client-sso 3.556.0
  │   │   │ └─┬ @aws-sdk/core 3.556.0
  │   │   │   └── fast-xml-parser 4.2.5
  │   │   └─┬ @aws-sdk/token-providers 3.556.0
  │   │     └─┬ @aws-sdk/client-sso-oidc 3.556.0
  │   │       └─┬ @aws-sdk/core 3.556.0
  │   │         └── fast-xml-parser 4.2.5
  │   └─┬ @aws-sdk/credential-provider-sso 3.556.0
  │     ├─┬ @aws-sdk/client-sso 3.556.0
  │     │ └─┬ @aws-sdk/core 3.556.0
  │     │   └── fast-xml-parser 4.2.5
  │     └─┬ @aws-sdk/token-providers 3.556.0
  │       └─┬ @aws-sdk/client-sso-oidc 3.556.0
  │         └─┬ @aws-sdk/core 3.556.0
  │           └── fast-xml-parser 4.2.5
  ├─┬ @aws-sdk/core 3.556.0
  │ └── fast-xml-parser 4.2.5
  └─┬ @aws-sdk/credential-provider-node 3.556.0
    ├─┬ @aws-sdk/credential-provider-ini 3.556.0
    │ └─┬ @aws-sdk/credential-provider-sso 3.556.0
    │   ├─┬ @aws-sdk/client-sso 3.556.0
    │   │ └─┬ @aws-sdk/core 3.556.0
    │   │   └── fast-xml-parser 4.2.5
    │   └─┬ @aws-sdk/token-providers 3.556.0
    │     └─┬ @aws-sdk/client-sso-oidc 3.556.0
    │       └─┬ @aws-sdk/core 3.556.0
    │         └── fast-xml-parser 4.2.5
    └─┬ @aws-sdk/credential-provider-sso 3.556.0
      ├─┬ @aws-sdk/client-sso 3.556.0
      │ └─┬ @aws-sdk/core 3.556.0
      │   └── fast-xml-parser 4.2.5
      └─┬ @aws-sdk/token-providers 3.556.0
        └─┬ @aws-sdk/client-sso-oidc 3.556.0
          └─┬ @aws-sdk/core 3.556.0

Describe what you expected

Resolve the issue by bumping the appropriate aws-sdk dependencies.

Steps to reproduce the issue

For any node project with @datadog/datadog-ci installed with a version of 2.40.0 ~ 2.41.0

Additional context

Package manager: pnpm

Command

None
@reggieWayflyer reggieWayflyer added the bug Something isn't working label Aug 8, 2024
@Drarig29 Drarig29 mentioned this issue Aug 12, 2024
Merged
1 task
@Drarig29
Copy link
Contributor

Hi! This will be fixed in the next patch. Thanks for reporting 🙇

@Hyokune
Copy link

Hyokune commented Aug 14, 2024

Hello, do we know when the next patch will be releasing? 🙏

@Drarig29
Copy link
Contributor

We just released a new version!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[dep] Bump aws-sdk to 3.624.0 DataDog/datadog-ci
3 participants
@Drarig29 @Hyokune @reggieWayflyer