Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoS vulnerability from dicer@0.2.5 #1095

Closed
mrded opened this issue May 20, 2022 · 15 comments
Closed

DoS vulnerability from dicer@0.2.5 #1095

mrded opened this issue May 20, 2022 · 15 comments
Labels
deps

Comments

@mrded
Copy link

mrded commented May 20, 2022

Hello,

Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:

Issues with no direct upgrade or patch:
  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in dicer@0.2.5
    introduced by multer@1.4.4 > busboy@0.2.14 > dicer@0.2.5
  No upgrade or patch available

Updating busboy@^1.0.0 drops the dependency on dicer (where the vuln comes from).

Thanks
@mrded
Copy link
Author

mrded commented May 20, 2022

#1096

@mrded
Copy link
Author

mrded commented May 23, 2022

Better solution: #1097

@krsubbar
Copy link

@mrded Thanks for raising this PR 1097. Request the team to merge this soon. As github is also reporting a high vulnerability which will get fixed with this busboy version upgrade. GHSA-wm7h-9275-46v2

@roneyantony
Copy link

High Crash in HeaderParser in dicer

Package dicer

Patched in No patch available

Dependency of multer

Path multer > busboy > dicer

@yurisim yurisim mentioned this issue May 26, 2022
Open
@chkp-idoma chkp-idoma mentioned this issue May 26, 2022
Closed
BobbyWibowo added a commit to BobbyWibowo/lolisafe that referenced this issue Jun 3, 2022
@BobbyWibowo
fix(deps): multer CVE-2022-24434
a43eeea 
expressjs/multer#1095

expressjs/multer@v1.4.4...v1.4.5-lts.1
perdedora pushed a commit to perdedora/lolisafe that referenced this issue Jun 3, 2022
@BobbyWibowo @perdedora
fix(deps): multer CVE-2022-24434
8ea5488 
expressjs/multer#1095

expressjs/multer@v1.4.4...v1.4.5-lts.1
@victorKariuki
Copy link

We need that fix, i don't like Severity: high, a warning is fine not red notifications.

@1yzz
Copy link

1yzz commented Jun 15, 2022

I need this

@LinusU
Copy link
Member

LinusU commented Jun 15, 2022

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

@victorKariuki
Copy link

victorKariuki commented Jun 15, 2022 via email

@123NeNaD
Copy link

What versions of Node are compatible?

@LinusU
Copy link
Member

LinusU commented Jun 16, 2022

What versions of Node are compatible?

v10.16.0 or newer

@victorKariuki
Copy link

victorKariuki commented Jun 21, 2022 via email

@ashish1497
Copy link

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

Has this been done or we should do npm i multer@1.4.5-lts.1?

@bryanph
Copy link

bryanph commented Jul 6, 2022

@LinusU perhaps a good reason to release it as 2.0 to indicate a breaking change (removing support for older node versions)?

@ZhaoKunLong
Copy link

Is any way to resolve this issue?

@LinusU
Copy link
Member

LinusU commented Oct 30, 2022

@bryanph there is already another 2.0 release line with multiple releases

@ZhaoKunLong @ashish1497 yes, npm i multer@1.4.5-lts.1 should fix this 👍

@LinusU LinusU closed this as completed Oct 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deps
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests