search

facebook / create-react-app

Set up a modern web app by running one command.
https://create-react-app.dev
MIT License
102.3k stars 26.71k forks source link

Dependency Packages introduced vulnerabilities associated with react-scripts 5.0.1 #13564

Open BijoyMogorBetsol opened 3 months ago

BijoyMogorBetsol commented 3 months ago

nth-check 1.0.2 JavaScript (Yarn)

Incorrect Comparison
Description nth-check is vulnerable to Inefficient Regular Expression Complexity Severity: High Tool: Dependency Scanning Scanner: Gemnasium

Links https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0
https://nvd.nist.gov/vuln/detail/CVE-2021-3803
Identifiers CVE-2021-3803
Gemnasium-3284fc8f-f377-4fcf-95dd-270a8b922329

Solution

Upgrade to version 2.0.1 or above.

express 4.18.2 JavaScript (Yarn)

Express.js Open Redirect in malformed URLs
Description

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect().

Severity: Medium

Identifiers CWE-1035
CWE-937

webpack-dev-middleware 5.3.3 JavaScript (Yarn)

Path traversal in webpack-dev-middleware
Description

The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.

Severity: High

Identifiers CWE-22
CWE-1035
CWE-937

postcss 7.0.39 JavaScript (Yarn)

PostCSS line return parsing error
Description

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

Severity: Medium Identifiers Gemnasium-7a2fe254-d605-4097-a4e3-7eafeb60045e
CVE-2023-44270

Red0Hood commented 2 months ago

Edit your package.json in the end add this

  "devDependencies": {
    "@babel/plugin-proposal-private-property-in-object": "^7.21.11",
    "@babel/plugin-transform-private-property-in-object": "^7.24.5"
  },
  "overrides": {
    "react-scripts": {
      "@svgr/webpack": "8.1.0",
      "typescript": "5.0.2",
      "postcss":"8.4.38"
    }
  }

edit "react-scripts": "^5.0.1",

  "dependencies": {
    "@testing-library/jest-dom": "^5.17.0",
    "@testing-library/react": "^13.4.0",
    "@testing-library/user-event": "^13.5.0",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "react-scripts": "^5.0.1",
    "styled-components": "^6.1.11",
    "web-vitals": "^2.1.4"
  },

in your terminal sync your package by npm install check for vulnerabilities npm audit Hope it help i think npm is like yarn