auth0 / node-samlp

SAML Protocol support for node (only IdP for now)
MIT License
136 stars 117 forks source link

Found Vulnerability ' Improper Input Validation ' and ' Prototype Pollution ' on Synk.io #125

Open kanxoramesh opened 3 years ago

kanxoramesh commented 3 years ago

BUG

Synk.io is reporting Vulnerability for this library, One of the dependence library saml@1.0.0 uses xmldom which has Vulnerability. and also Arbitrary Code Injection from package ejs@3.1.6

Solution: update dependence library saml@1.0.0 to 1.0.1 which is using the latest version of xmldom@0.7.4 and also update ejs@2.5.5 to ejs@3.1.6

RopoMen commented 2 years ago

Github Advisory: https://github.com/advisories/GHSA-phwq-j96m-2c2q

aaronsegstro commented 2 years ago

SAML Was updated but there's still critical vulnerabilities in ejs@2.5.5 that would be corrected by updating to ejs@3.1.8

decko commented 2 years ago

Hi @aaronsegstro. I just submitted a PR bumping ejs to 3.1.8 here #130.