Vulnerabilities introduced by package lodash

[paimon0715]

Hi, @thomseddon @mjsalinger, there are three vulnerabilities introduced in your package oauth2-server:

Issue Description

Vulnerabilities (2 high and 1 medium severity) SNYK-JS-LODASH-590103, CVE-2021-23337 and CVE-2020-28500 are detected in package lodash@4.17.19 which is directly referenced by oauth2-server@3.1.1. We noticed that such a vulnerability has been removed since oauth2-server@4.0.0-dev.1.

However, oauth2-server's popular previous version oauth2-server@3.1.1 (11,057 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 138 downstream projects, e.g., ant-nodejs-kit 1.1.119, openiap 1.2.3, qms-nestjs 1.0.40, spich 6.0.1, @mobilejazz/harmony-nest 0.8.2, @jeff-tian/alpha@1.5.6, etc.).
As such, issues SNYK-JS-LODASH-590103, CVE-2021-23337 and CVE-2020-28500 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade oauth2-server from version 3.1.1 to (>=4.0.0-dev.1). For instance, oauth2-server@3.1.1 is introduced into the above projects via the following package dependency paths:
(1)@jeff-tian/alpha@1.5.6 ➔ egg-oauth2-server@2.2.6 ➔ oauth2-server@3.1.1 ➔ lodash@4.17.19
......

The projects such as egg-oauth2-server, which introduced oauth2-server@3.1.1, are not maintained anymore. These unmaintained packages can neither upgrade oauth2-server nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package oauth2-server@3.1.1?

Suggested Solution

Since these inactive projects set a version constaint 3.1.* for oauth2-server on the above vulnerable dependency paths, if oauth2-server removes the vulnerabilities from 3.1.1 and releases a new patched version oauth2-server@3.1.2, such a vulnerability patch can be automatically propagated into the 138 affected downstream projects.

In oauth2-server@3.1.2, you can kindly try to perform the following upgrade(not crossing major version):
lodash 4.17.19 ➔ 4.17.21;
Note:
lodash@4.17.21(>=4.17.21) has fixed the vulnerabilities (SNYK-JS-LODASH-590103, CVE-2021-23337 and CVE-2020-28500)

Thank you for your help.

Best regards,
Paimon

[mayrbenjamin92]

Do we know when this will be fixed?

[jackhollowaypersonal]

Any update guys?

[orgads]

This was already fixed 4 months ago, but was not released yet.

[HappyZombies]

Hello, due to this project appearing to be dead and no maintainers responding, I went ahead and forked the project under a new organization, and will continue the work over there. https://github.com/node-oauth/node-oauth2-server

Feel free to move over there to further the discussion

[lancejpollard]

Ping? Going to use the fork for now, thank you!

[levpachmanov]

Hey @paimon0715 @lancejpollard,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an lodash 4.17.15-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.
If relevant, check out our GitHub repo if you wish to learn more, or start using our app.
Please feel free to reach us at info@seal.security if you have any requests/questions.