Security Vulnerability : VM2 CVE-2023-37903

[stbarillas]

Introduced through: docusign-esign@6.5.1 › superagent-proxy@2.1.0 › proxy-agent › pac-proxy-agent › pac-resolver > Degenerator@3.0.2

Overview The version of degenrator that gets installed alongside docusign-esign uses a deprecated VM2 package that is now referenced in vulnerability CVE-2023-37903 .

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

https://nvd.nist.gov/vuln/detail/CVE-2023-37903

Remediation Degenerator@5.0.1 refactors VM2 out. To get this version of Degenerator, proxy-agent must be upgraded to 6.3.1. Unfortunately the latest version of superagent-proxy@3.0.0 still uses proxy-agent@^5.0.0.

Overriding proxy-agent to use 6.3.1 results in errors. Remediation is having TooTallNate update superagent-proxy to support proxy-agent@6.3.1 or refactoring superagent-proxy out

[ivan-dinkov]

Thanks for notifying us about this. I'll let the SDK devs now.

[comp615]

@ivan-dinkov do we have a fix here yet? It looks like there's still a critical-level security vulnerability this is forcing on people...

[Ivanrenes]

@ivan-dinkov any update?

[nikodunk]

Hi! Sorry to be a bother, but we are paying customers and will have to drop this dependency and find another service to keep our SOC2 compliance, if the sub-dependencies are not updated to secure versions for this library. We're now up to 3 high security warnings from your sub-dependencies @InbarGazit @ivan-dinkov

[meads2320]

@eleanorharris I noticed an update then a rollback. Are there any plans for the superagent-proxy package to be updated in the near future? https://github.com/docusign/docusign-esign-node-client/commit/07812393ab31eee58e7e0f751fb5a3c6dd094c5f

[Eyalm321]

Any updates on this? not cool having to install a package of a flagship product and seeing 6 high level warnings ..

[InbarGazit]

Eyal and everyone else, I apologize for not communicating and for the delays on this. We're working on this, we had some challenges which is why this is not done yet, but we'll get it done very soon, please be a little more patient. We'll update this thread as soon as this is resolved.

[InbarGazit]

Eyal, see https://www.npmjs.com/package/docusign-esign/v/6.6.0-rc2 and let us know if it fixes this issue

[Ivanrenes]

@InbarGazit hey generateAccessToken is not longer working in that version.

[maxicapodacqua]

Any updates or PR to keep track of this issue? This is still at critical level

[fabiolnm]

Any updates?

[Ivanrenes]

@fabiolnm did you try with RC version https://www.npmjs.com/package/docusign-esign/v/6.6.0-rc2?

Auth stop working for me

[fabiolnm]

The RC version worked for me. Thanks!

[jwvanhollebeke]

The RC version worked for me as well. Is there a plan to release this RC version soon?

[bejoinka]

folks, i notice this vulnerability no longer exists with 7.0.0-rc1, and it looks like 6.6.0-rc2 also appeared to potentially solve this issue.

in the future, it would be kind to those who depend on this package to release patches to cover these vulnerabilities.

[sonawane-sanket]

Appreciate the confirmation, @fabiolnm, @jwvanhollebeke and @bejoinka!

@nikodunk, @maxicapodacqua, @Eyalm321,, @comp615 , @stbarillas

I'm glad to inform you that we've successfully addressed the security vulnerability identified in docusign-esign@6.5.1. You can now access the updated version, 6.6.0-rc2, here, as mentioned earlier by @InbarGazit.

We're currently in the process of finalizing the RC version to publish. Stay tuned for updates as we move forward with this plan.

For additional visibility, you can access the changelogs here.

If you have any further questions or concerns, feel free to reach out.

[sonawane-sanket]

We're excited to announce the release of the public version 7.0.0. We encourage you to upgrade and check out the changelog here.

[Ivanrenes]

@sonawane-sanket when trying to generate token with generateAccessToken using the client it just don't work, throws an empty error (see screenshot). With previous version it works as usual, anything changed for that?

Update:

Just found the issue in your code, please merge this PR ASAP

[sonawane-sanket]

Thank you @ivan-dinkov

We truly appreciate your prompt feedback. The issue has been resolved.

Please find further updates here

[Ivanrenes]

@sonawane-sanket Please check https://github.com/docusign/docusign-esign-node-client/pull/352#pullrequestreview-2077517229 comment, generateAccessToken keeps broken

[nikodunk]

Yep, broken now for us too on a node server integration. Following your docs you recommend doing:

const auth = await authenticate()
const dsApiClient = new docusign.ApiClient()
dsApiClient.setBasePath(auth.basePath)

is where it throws or RC2

was auth.basePath removed?

[sonawane-sanket]

Please follow further updates on here. Closing this issue for now.