nth-check vulnerability found in react-scripts@4.0.3

[sandeepraina-lenze]

Hi,

I have a dashboard developed in reactjs and from last few days my github has started to display a vulnerability issue in react-scripts@4.0.3 for nth-check dependency.

react-scripts@4.0.3 uses nth-check v1.0.2 where as to resolve the vulnerability issue the recommended version is 2.1.0 or higher.

Remediation
Upgrade nth-check to version 2.0.1 or later. For example:

"dependencies": {
  "nth-check": ">=2.0.1"
}
or…
"devDependencies": {
  "nth-check": ">=2.0.1"
}

CVE-2021-3803
moderate severity
Vulnerable versions: < 2.0.1
Patched version: 2.0.1
nth-check is vulnerable to Inefficient Regular Expression Complexity

Dependabot cannot update nth-check to a non-vulnerable version
The latest possible version that can be installed is 1.0.2 because of the following conflicting dependency:

react-scripts@4.0.3 requires nth-check@^1.0.2 via a transitive dependency on css-select@2.1.0
The earliest fixed version is 2.0.1.

Thanks and Regards,
Sandeep

[saisnigdha93]

Security vulnerability is reported in react-scripts 5.0.0 version also.

Audit report -
Moderate Inefficient Regular Expression Complexity in nth-check
Package nth-check
Patched in >=2.0.1
Dependency of react-scripts [dev]
Path react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >
css-select > nth-check
More info GHSA-rp65-9cf3-cjxr

[iiLearner]

Could this be looked into as well? most of other vulnerabilities were fixed in react-scripts 5.0.0 except this one

[donsander]

It would be greatly appreciated if this was resolved in the next release.

[rbrewington]

Agreed. This vulnerability is being flagged by dependabot in my repo with react-scripts@5.0.0. Seems @svgr/webpack just needs to be updated to the latest version, and it will be fixed.

Someone already has a PR up
#11780

[jtiscione]

Agreed. This vulnerability is being flagged by dependabot in my repo with react-scripts@5.0.0. Seems @svgr/webpack just needs to be updated to the latest version, and it will be fixed.

Someone already has a PR up #11780

It's been stuck in limbo for months waiting for approval.

[agkhare]

We are waiting for this vulnerability to be fixed, since long long time. Can someone please provide us an ETA on this one ?

[acomito]

is it possible to temporarily resolve this using yarn resolutions?

edit:

warning Resolution field "nth-check@2.1.1" is incompatible with requested version "nth-check@^1.0.2"

😔

[coronelauth]

My current npm dependencies:
"react-scripts": "^5.0.1",
"css-select": "4.3.0",
"nth-check": "2.1.1",
"@svgr/webpack": "5.5.0",

but I got this:

npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
**Will install react-scripts@2.1.3, which is a breaking change**
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

[isqua]

@coronelauth, I'll assume that you still have the error because of this dependency chain:

1. react-script@5.0.1 depends on @svgr/webpack@^5.5.0, which means greater then 5.5.0 but still 5.x.x. And the 5.5.0 is the latest version in 5.x.x. You can check it on npm semver calculator
2. @svgr/webpack@5.5.0 depends on @svgr/plugin-svgo@^5.5.0, again the highest ^5.5.0 version is 5.5.0 itself;
3. @svgr/plugin-svgo@5.5.0 depends on svgo@^1.2.2, according to npm semver calculator it means 1.2.2, 1.3.0, 1.3.1, or 1.3.2 version;
4. svgo@1.3.2 depends on css-select@^2.0.0, which means 2.0.0, 2.0.2, or 2.1.0;
5. css-select@2.1.0depends on nth-check@^1.0.2, according to npm semver calculator it means exactly 1.0.2, which has Inefficient Regular Expression Complexity vulnerability.

Despite the fact you strictly require "nth-check": "2.1.1" and "css-select": "4.3.0" in your project dependencies, @svgr/webpack@5.5.0 and react-scripts@^5.0.1 still require vulnerable nth-check@1.0.2 package transitively.

So react-scripts package still needs to get updated dependencies in itself.

[isqua]

Unwinding this tangle back:

1. The vulnerability was patched in nth-check@2.0.1.
2. The minimum version of css-select depends on nth-check@2.0.1 or higher is 4.2.0, if I found it correctly.
3. The minimum version of svgo that may cause installation of css-select@4.2.0 or higher is 2.3.1 - it depends on css-select@^4.1.3 which may install css-select@4.2.0.
4. The minimum version of @svgr/plugin-svgo that may cause installation of svgo@2.3.1 or higher is 6.0.0: it depends on svgo@^2.5.0. As we found earlier version 5.5.0 depends on svgo@^1.2.2, which is insufficient.
5. The minimum version of @svgr/webpack that depends on @svgr/plugin-svgo@6.0.0 is 6.0.0 too.

So the solution of this problem is to upgrade @svgr/webpack in react-scripts at least up to 6.0.0

• Which @TrySound did at Upgrade to svgr 6 #11780.
• Or @bhardwajhimanshu219 did at webpack version upgrade #12026.
• Or @daschaa did at Bumps @svgr/webpack dependency to version 6.2.1 #12172.

But none of them are merged 😿

[isqua]

And also we have some duplicates of this issue:

• Security advisory alert (moderate severity) for nth-check, a dependency of css-select #11491
• Upgrade nth check and web-socket extension sub dependency #11990
• Is this reported? Any fix? #11993
• update vulnerable dependencies #12055
• Vulnerability in react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > nth-check & css-what #12132

And here is the issue where @gaearon explains that it’s not a problem: #11174

[gaearon]

As often, it's not a real vulnerability. If you read the description, it explains that the attack vector is via network, but this is a build-time dependency that doesn't exist in built apps (the only dependency of a CRA app after build is React itself). As explained in #11174 we will not be addressing fake vulnerabilities.

If this is frustrating to you, please express it to npm, who are responsible for this security theater. Some npm support channels:

• https://github.com/npm/cli/issues
• https://github.com/npm/rfcs/discussions
• https://www.npmjs.com/support