CVE-2021-32640 in V3 branch by "ws": "^6.2.1"

[SymbioticKilla]

• This is a bug
• This is a modification request

For Bugs; How can we reproduce the behavior?

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-32640

Expected:
"ws": "^7.4.6"

Will it be fixed in V3 branch?

[AviVahl]

@alexander-akait maybe now would be a good time to release the final v4 release? so that we have a non-vulnerable stable release.

We got security audit notifications for many repositories because of this vulnerability.

[connorgurney]

We've just had the same @gurstecollective. It'd be good to patch this as soon as we can.

[alexander-akait]

@AviVahl Yes, you are right, we have couple problem and will fix them in near future (this week) and we will do release

[hitendra-ap]

Hi, Is there any ETA on this? This suddenly becomes important for us to remove the vulnerability in ws module. Thanks.

[PtrJsn]

@hitendra-ap Did you see websockets/ws#1895, linked above? They just released ws@6.2.2 that should take care of you.

[alexander-akait]

Fixed websockets/ws#1895 (comment)

[victory-glitch]

Getting this issue as well in our security scans. The Angular Devkit has a dependency on this package, so it's getting triggered on all our Angular projects.

Since v6.2.2 is published for ws and webpack is using the minor tag with "^6.2.1", I assume the dependency will be automatically updated. Can we close this issue in that case?

[FigueiroaAndre]

npm audit is reporting this vulnerability with the manual review tag
https://npmjs.com/advisories/1748.

                        === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Moderate        Regular Expression Denial of Service                          

  Package         postcss                                                       

  Patched in      >=8.2.10                                                      

  Dependency of   @angular-devkit/build-angular [dev]                           

  Path            @angular-devkit/build-angular > resolve-url-loader > postcss  

  More info       https://npmjs.com/advisories/1693                             


  Moderate        Regular Expression Denial of Service                          

  Package         ws                                                            

  Patched in      >=7.4.6

  Dependency of   @angular-devkit/build-angular [dev]

  Path            @angular-devkit/build-angular > webpack-dev-server > ws

  More info       https://npmjs.com/advisories/1748

[alexander-akait]

Fixed, please update your deps locally npm update

[connorgurney]

Thanks for resolving this so quickly, @alexander-akait — have a lovely weekend and take care!

[unekinn]

I don't understand how this is fixed. After running npm update and npm audit fix I still get this message, indicating the only fix is downgrading webpack-dev-server

ws  5.0.0 - 7.4.5
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1748
fix available via `npm audit fix --force`
Will install webpack-dev-server@3.7.2, which is a breaking change
node_modules/webpack-dev-server/node_modules/ws
  webpack-dev-server  3.8.0 - 3.11.2
  Depends on vulnerable versions of ws
  node_modules/webpack-dev-server

(npm version 7.16.0)

For reference, I'm using the latest versions of everything except rxjs, but that should be irrelevant

$ npm outdated
Package  Current  Wanted  Latest  Location           Depended by
rxjs       6.6.7   6.6.7   7.1.0  node_modules/rxjs  reactapp

[Den-dp]

@larskinn technically, ws@6.2.2 contains backported fix for ReDOS vulnerability.

The problem is in the npm audit database, which uses outdated info about non-vulnerable versions of ws package.

Otherwise, all these resources are wrong that 6.2.2 contains a fix:
https://nvd.nist.gov/vuln/detail/CVE-2021-32640
GHSA-6fc8-4gx4-v693
https://snyk.io/vuln/SNYK-JS-WS-1296835

[unekinn]

technically, ws@6.2.2 contains backported fix for ReDOS vulnerability.

The problem is in the npm audit database, which uses outdated info about non-vulnerable versions of ws package.

Thanks. I misinterpreted the message to mean that ws@6.2.1 was still being installed because of webpack-dev-server. After analyzing my package-lock.json I see that the actually installed versions are ws@6.2.2 and ws@7.4.6, so the problem is indeed npm audit.

[Den-dp]

ws@6.2.2 finally marked as unaffected https://www.npmjs.com/advisories/1748 🥳