Open kerimkaan opened 3 years ago
This is now being reported by NPM's audit tools and has begun to fail our pipelines due to its "high" severity.
This is now resolvable by yarn upgrade -A
or npm equivalent, as js-api published a new patch version with the current axios minor version some minutes ago.
A recent upgrade worked out as follows:
❯ yarn audit
yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Server-Side Request Forgery │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.21.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pm2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ pm2 > @pm2/js-api > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1594 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 960
Severity: 1 High
✨ Done in 1.00s.
❯ yarn upgrade -A
yarn upgrade v1.22.4
[1/5] 🔍 Resolving packages...
[...]
[2/5] 🔍 Auditing packages...
[3/5] 🚚 Fetching packages...
[4/5] 🔗 Linking dependencies...
[5/5] 🔨 Rebuilding all packages...
0 vulnerabilities found - Packages audited: 958
success Saved lockfile.
❯ yarn audit
yarn audit v1.22.4
0 vulnerabilities found - Packages audited: 958
✨ Done in 0.89s.
As @mashpie mentions above, npm audit
and following its instructions works to resolve this with npm:
> $ npm audit [±main ●]
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/audits 1361ms
=== npm audit security report ===
# Run npm update @pm2/js-api --depth 2 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Server-Side Request Forgery │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pm2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ pm2 > @pm2/js-api > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1594 │
└───────────────┴──────────────────────────────────────────────────────────────┘
I have a very similar issue with pm2 5.3.0 but with this vulnerability CVE-2023-45857. It seems the js-api is still using a vulnerable version of axios (0.21.4).
Same as @antoniore-edw, any fixes are planned?
What's going wrong?
How could we reproduce this issue?
Supporting information
Please follow this CVE-2020-28168, related axios issue
Dependency Hierarchy: