Closed eagle-txec closed 2 months ago
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.
This issue has been closed due to inactivity.
@cypress-app-bot This issue still exists with cypress version 13.7.3
It's good to see there is a new PR #29673 to mitigate this vulnerability!
This CRITICAL security vulnerability was also reported in https://github.com/cypress-io/cypress-docker-images/issues/1115 for cypress/included:13.11.0
To reproduce report, use for example:
trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0
Released in 13.13.1
.
This comment thread has been locked. If you are still experiencing this issue after upgrading to Cypress v13.13.1, please open a new issue.
Current behavior
installed version is 1.6.0
Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.
Desired behavior
Upgrade fix version is 1.13.1
Test code to reproduce
-
Cypress Version
13.3.3
Node version
16.20.2
Operating System
-
Debug Logs
Other
-