Regular Expression Denial of Service (ReDoS) vulnerability in the glob-parent.

facebook / create-react-app

Set up a modern web app by running one command.

https://create-react-app.dev

MIT License

102.7k stars 26.84k forks source link

Regular Expression Denial of Service (ReDoS) vulnerability in the glob-parent. #11071

Open Leha1992 opened 3 years ago

Leha1992 commented 3 years ago

There is a Regular Expression Denial of Service (ReDoS) vulnerability in the glob-parent dependency.

This is the dependency tree:

devDependencies (optional): react-scripts>webpack>watchpack>watchpack-chokidar2>chokidar>glob-parent
devDependencies: react-scripts>webpack-dev-server>chokidar>glob-parent

The vulnerability has been fixed in glob-parent version >5.1.2

sindhurameduri commented 3 years ago

I am also facing the same issue, have you managed to get it updated

ralfnovo commented 3 years ago

Any updates on this? I'm getting the same vulnerabilities as well

BiancaArtola commented 3 years ago

Same issue here

ghost commented 3 years ago

Same issue here. Registering as high severity from dependabot

kpotter-m2 commented 3 years ago

Same issue for our team, considered moderate severity but causes our npm audits to fail.

  Moderate        Regular expression denial of service                          

  Package         glob-parent                                                   

  Patched in      >=5.1.2                                                       

  Dependency of   react-scripts [dev]                                           

  Path            react-scripts > webpack-dev-server > chokidar > glob-parent   

  More info       https://npmjs.com/advisories/1751

nrayburn-tech commented 3 years ago

See https://github.com/facebook/create-react-app/issues/11174.

There is not any vulnerable code deployed to production here.

asitsar1 commented 2 years ago

Hi, We received a report of vulnerability in our security testing. "Regular Expression Denial of Service (ReDoS) glob-parent: This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator."

As we expect a version higher than 5.1.2 , when the library will be available?

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

MEBARKI16 commented 8 months ago

Hello, I would like to intervene regarding issue #11071 on the ReDoS vulnerability in the glob-parent dependency. After running the npm list glob-parent command in the create-react-app project directory, it appears that all instances of glob-parent are at version 5.1.2 or higher, more precisely 6.0.2 for some of them. between them. Version 5.1.2 is where the vulnerability was fixed, so it appears that the project is no longer affected by this specific security issue. I propose that the issue be closed unless there are other actions or checks that you would recommend. Thank you for your attention and continued work on this project.