search

cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
46.76k stars 3.16k forks source link

CVE-2022-25858 found on trivy scan cypress version 13.3.3 #28194

Closed eagle-txec closed 4 months ago

eagle-txec commented 11 months ago

Current behavior

Installed version is 4.8.0

Desired behavior

Upgreaded fix versions are 4.8.1, 5.14.2

Test code to reproduce

.

Cypress Version

13.3.3

Node version

16.20.2

Operating System

-

Debug Logs

"VulnerabilityID": "CVE-2022-25858",
          "InstalledVersion": "4.8.0",
          "LastModifiedDate": "2023-08-08T14:22:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V3Score": 7.5,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "ghsa": {
              "V3Score": 7.5,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "redhat": {
              "V3Score": 7.5,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "terser@4.8.0",
          "Title": "insecure use of regular expressions leads to ReDoS",
          "CweIDs": [
            "CWE-1333"
          ],
          "Status": "fixed",
          "PkgName": "terser",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/html-minifier-terser/node_modules/terser/package.json",
          "Severity": "HIGH",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25858",
          "References": [
            "https://access.redhat.com/security/cve/CVE-2022-25858",
            "https://github.com/terser/terser",
            "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135",
            "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b",
            "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-25858",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722",
            "https://snyk.io/vuln/SNYK-JS-TERSER-2806366",
            "https://www.cve.org/CVERecord?id=CVE-2022-25858"
          ],
          "Description": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.",
          "FixedVersion": "4.8.1, 5.14.2",
          "PublishedDate": "2022-07-15T20:15:00Z",
          "SeveritySource": "ghsa",
          "VulnerabilityID": "CVE-2022-25858",
          "InstalledVersion": "4.8.0",

Other

-

cypress-app-bot commented 5 months ago

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

cypress-app-bot commented 4 months ago

This issue has been closed due to inactivity.