search

GoogleChrome / lighthouse-ci

Automate running Lighthouse for every commit, viewing the changes, and preventing regressions
Apache License 2.0
6.33k stars 632 forks source link

Update Lighthouse to address CVE-2024-37890 from ws package #1045

Closed ejclark closed 1 week ago

ejclark commented 2 weeks ago

Summary

@lhci/cli has a High severity vulnerability reported from npm audit: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

The patch appears to have been merged into @lhci/cli, just yet to be release. Cutting a new release should address the CVE by updating to lighthouse@12.x: https://github.com/GoogleChrome/lighthouse-ci/blob/8fe7e8db5c1d5b7c38758adcd42572e74288265e/packages/cli/package.json#L24

Impact (per CVE): A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Details

A vulnerability was detected in ws package, currently used in lighthouse@11.x and puppeteer-core@21.x packages (screenshots below). The dependency tree has resolved the vulnerability in lighthouse@12.x. Screenshot 2024-06-18 at 3 06 24 PM Screenshot 2024-06-18 at 3 07 03 PM

PoC

Excute this command in this package: npm audit Screenshot 2024-06-18 at 3 32 31 PM

connorjclark commented 1 week ago

https://github.com/GoogleChrome/lighthouse-ci/pull/1046

ejclark commented 1 week ago

Thank you for the prompt fix. Much appreciated!