Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm WARN deprecated vm2@3.9.19: The library contains critical security issues #5030

Open
edocbuhtig opened this issue Jul 25, 2023 · 3 comments
Labels

Comments

@edocbuhtig
Copy link

Description:

When I install the latest Ionic CLI, it is throwing deprecated warning and the latest version CLI is not installed

Steps to Reproduce:
RUN Below commands, per the official guide here

$ npm uninstall -g ionic
$ npm install -g @ionic/cli

``






**Output:**

``
$sudo npm uninstall -g @ionic/cli
Password:

removed 224 packages in 1s
\W $sudo npm install -g @ionic/cli 
npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

``
`




**My `ionic info`:**
Ionic CLI is not installed to run ionic info, command

```

Other Information:

@ionitron-bot ionitron-bot bot added the triage label Jul 25, 2023
@4security
Copy link

4security commented Jul 28, 2023

The project discontinued. 9.8 CVE is very high severity (9.8 of 10) https://nvd.nist.gov/vuln/detail/CVE-2023-37466 and should be replaced by https://www.npmjs.com/package/isolated-vm

I don't know the Ionic codebase but vm2 is used to "run untrusted code in Node" should be optional part of a framework.

npm audit result

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
fix available via `npm audit fix --force`
Will install @ionic/cli@6.18.0, which is a breaking change
node_modules/vm2
  degenerator  3.0.0 - 4.0.4
  Depends on vulnerable versions of vm2
  node_modules/@puppeteer/browsers/node_modules/degenerator
  node_modules/degenerator
    pac-resolver  5.0.0 - 6.0.2
    Depends on vulnerable versions of degenerator
    node_modules/@puppeteer/browsers/node_modules/pac-resolver
    node_modules/pac-resolver
      pac-proxy-agent  5.0.0 - 6.0.4
      Depends on vulnerable versions of pac-resolver
      node_modules/@puppeteer/browsers/node_modules/pac-proxy-agent
      node_modules/pac-proxy-agent
        proxy-agent  5.0.0 - 6.2.2
        Depends on vulnerable versions of pac-proxy-agent
        node_modules/@puppeteer/browsers/node_modules/proxy-agent
        node_modules/proxy-agent
          @puppeteer/browsers  1.4.0 - 1.4.4
          Depends on vulnerable versions of proxy-agent
          node_modules/@puppeteer/browsers
            puppeteer  20.4.0 - 20.8.1
            Depends on vulnerable versions of @puppeteer/browsers
            Depends on vulnerable versions of puppeteer-core
            node_modules/puppeteer
            puppeteer-core  20.4.0 - 20.8.1
            Depends on vulnerable versions of @puppeteer/browsers
            node_modules/puppeteer-core
          superagent-proxy  >=3.0.0
          Depends on vulnerable versions of proxy-agent
          node_modules/superagent-proxy
            @ionic/cli  >=6.18.1
            Depends on vulnerable versions of superagent-proxy
            node_modules/@ionic/cli

@pqnet
Copy link

pqnet commented Aug 17, 2023

The ionic cli itself, mainly to download the starter templates when running ionic start, has to do http requests.

These requests are done using the superagent package.

In order for superagent to support proxies it uses the superagent-proxy package which has not been updated in the last 2 years (but may be getting another update soon just to address this issue, see TooTallNate/superagent-proxy#50)

A proxy server can be configured either by manually specifying proxy parameter or by a proxy autoconfigure script (PAC).

A PAC is basically a Javascript script that computes the proxy parameters dynamically based on destination. PAC resolution is performed by the proxy-agent dependency by running the script in a sandboxed VM.

Older version of proxy-agent ultimately depend on the deprecated vm2 package to run such js code in a sandboxed environment, newer version don't.

So, if you are in a network with an autoconfigured proxy and run ionic start (or add Cordova integration through ionic integration add cordova) you are allowing the network administrator that publishes the proxy script to run arbitrary code on your machine thank to the vm2 bug.

If you are not using an autoconfigured proxy in your development computer, you are not at risk and may disregard the warning.

@4security
Copy link

Is there a way to reduce dependencies? A PAC proxy is edge case for dev machine. Do you think about a kind of plugin / extension?

It is not so nice to have CVEs any projects because of exploitation chains.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants