search

expressjs / multer

Node.js middleware for handling `multipart/form-data`.
MIT License
11.45k stars 1.04k forks source link

CVE-2022-24434: DoS affecting dicer (sub-dependency) #1254

Open sewellstephens opened 2 months ago

sewellstephens commented 2 months ago

Discussed in https://github.com/expressjs/multer/discussions/1253

Originally posted by **sewellstephens** April 14, 2024 Hi, I'm not at all an expert in cybersecurity nor am I a security researcher, but Snyk security and NPM is warning of critical DDoS vulnerability attached to this package. According to NPM vuln scanner, it seems to be linked to busboy dependency in package.json. ### Heres a screenshot: dicer vuln
UlisesGascon commented 2 months ago

I was able to replicate this with this package.jon.

{
  "name": "multer-1254",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "multer": "^1.4.2"
  }
}

Snyk is alerting for SNYK-JS-DICER-2311764, but in the Multer page is not shown. I found that confusing at the beginning, but doing a further research I got a better understanding.

By checking the dependencies we can see that busboy@0.2.14 depends on dicer@0.2.5 (see). Multer depends on busboy@^0.2.11 (see)

 "node_modules/busboy": {
      "version": "0.2.14",
      "resolved": "https://registry.npmjs.org/busboy/-/busboy-0.2.14.tgz",
      "integrity": "sha512-InWFDomvlkEj+xWLBfU3AvnbVYqeTWmQopiW0tWWEy5yehYm2YkGEc59sUmw/4ty5Zj/b0WHGs1LgecuBSBGrg==",
      "dependencies": {
        "dicer": "0.2.5",
        "readable-stream": "1.1.x"
      },
      "engines": {
        "node": ">=0.8.0"
      }
    }

Currently there is no fix available for dicer (I was not able to find an open discussion too), so maybe we can upgrade busboy to v1.0.0 (see comparation details) as this version remove dicer and includes streamsearch but this will drop Node.js support to >=10.16.0 for multer.

Said that ... I am not very familiar with multer internals or busboy, so maybe this CVE is not affecting us due the way we are using the dependencies? :thinking:

welchjl commented 2 months ago

1.4.2 is deprecated. Update to 1.4.5-lts.1 as it uses busboy 1.0.0 which resolves the vulnerability 👍