jayvdb
commented
1 month ago Noting that this project currently is pinning @apidevtools/json-schema-ref-parser@9.0.6 , which is not in the vulnerable range of the CVE.
Closed anaezes closed 3 weeks ago
jayvdb
commented
1 month ago Noting that this project currently is pinning @apidevtools/json-schema-ref-parser@9.0.6 , which is not in the vulnerable range of the CVE.
jayvdb
commented
1 month ago Actually, I did a bit more analysis of this vuln and I believe it effected version @apidevtools/json-schema-ref-parser@9.0.6 , and many prior.
The fix here fix(prototype): prevent prototype pollution · APIDevTools/json-schema-ref-parser@8cad7f7 is
-const keys = Object.keys(source);
+// prevent prototype pollution
+const keys = Object.keys(source).filter((key) => !["__proto__", "constructor", "prototype"].includes(key));And the line const keys = Object.keys(source) goes much further back.
There was a rewrite of .js → .ts , and that line appeared in the JS version:
We see it goes back to v3 at least here
A dependency used in this project @apidevtools/json-schema-ref-parser is vulnerable to a prototype pollution attack, as listed in https://nvd.nist.gov/vuln/detail/CVE-2024-29651 - https://github.com/advisories/GHSA-5f97-h2c2-826q
We should bump this dependency in order to avoid any potential vulnerabilities, and to prevent vulnerability alarms by automated CVE analysis in this project.