search

aws / aws-sdk-js-v3

Modularized AWS SDK for JavaScript.
Apache License 2.0
3.03k stars 569 forks source link

NPM audit fails for anything depending on aws-crt and axios / CVE-2024-39338 #6381

Open terozio opened 1 month ago

terozio commented 1 month ago

Checkboxes for prior research

Describe the bug

npm audit fails when you depend on packages which use aws-crt, because aws-crt depends on a vulnerable version of axios.

CVE for axios: https://github.com/advisories/GHSA-8hc4-vh64-cxmj

SDK version number

@aws-sdk/client-dynamodb@3.629

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.10.0

Reproduction Steps

npm install @aws-sdk/client-dynamodb

npm audit

npm ls axios

├─┬ @aws-sdk/client-dynamodb@3.629.0
│ └─┬ @aws-sdk/util-user-agent-node@3.614.0
│   └─┬ aws-crt@1.21.3
│     └── axios@1.7.3

Observed Behavior

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
  aws-crt  >=1.19.0
  Depends on vulnerable versions of axios
  node_modules/aws-crt

2 high severity vulnerabilities

Expected Behavior

Expect to have no vulnerabilities.

Possible Solution

No response

Additional Information/Context

Issue in axios repository: https://github.com/axios/axios/issues/6463

aBurmeseDev commented 1 month ago

Hi @terozio - thanks for reporting.

I'm reaching out to AWS CRT team to address this. Upon checking the current version of axios used in aws-crt, it's specified as ^1.7.2, which means it should be compatible with versions up to the latest patch release.

In the meantime, while we wait for the aws-crt maintainers to address this vulnerability, you can update the axios version in your project's package-lock.json file to the latest patched version (1.7.4), which should resolve the vulnerability.

For those who come across this issue, the recommended solution is to manually update the axios version in your package-lock.json file to 1.7.4 until the aws-crt maintainers release an updated version with a non-vulnerable axios dependency.

jmklix commented 4 weeks ago

aws-crt-nodejs was updated in this PR: https://github.com/awslabs/aws-crt-nodejs/pull/571 When this sdk updates it's dependency of aws-crt-nodejs to v1.21.5, then this vulnerability will be patched.