Please enable private disclosures ASAP

brix / crypto-js

JavaScript library of crypto standards.

Other

15.87k stars 2.39k forks source link

Please enable private disclosures ASAP #466

Closed Zemnmez closed 1 year ago

Zemnmez commented 1 year ago

You can do it with the Security panel.

Please enable:

"Security advisories"
"Private vulnerability reporting"

I found a serious vulnerability in crypto-js. Please enable vulnerability disclosures so I can responsibly disclose the vulnerability. Thanks.

Twitter thread with some context: https://twitter.com/zemnmez/status/1714513369745830026

wulinnan commented 1 year ago

hello,I'd like to ask about this vulnerability, what exactly is it and is it easy to say, because I see that this library is supposed to be the most popular at the moment and have recently wanted to use it.

MaksimKiselev commented 1 year ago

@Zemnmez https://twitter.com/evanvosberg

Zemnmez commented 1 year ago

@MaksimKiselev https://twitter.com/zemnmez/status/1714167497551925457

Zemnmez commented 1 year ago

hello,I'd like to ask about this vulnerability, what exactly is it and is it easy to say, because I see that this library is supposed to be the most popular at the moment and have recently wanted to use it.

I can't answer this question without doing serious damage by disclosing it when there is no patch.

evanvosberg commented 1 year ago

@Zemnmez reporting vulnerabilities is enabled now, although the project itself is discontinued.

Zemnmez commented 1 year ago

https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf