search

felixmosh / bull-board

🎯 Queue background jobs inspector
MIT License
2.36k stars 366 forks source link

Multiple Vulnerabilities Detected in @bull-board/nestjs Package #820

Closed acc-iprieto closed 2 months ago

acc-iprieto commented 2 months ago

Dear maintainers,

We have detected several vulnerabilities in the dependencies of the @bull-board/nestjs package. Below is a summary of the affected packages and versions:

  1. body-parser - Vulnerable to Denial of Service (DoS)

    • Vulnerability: body-parser is vulnerable to denial of service when URL encoding is enabled.
    • Vulnerable Versions: <1.20.3
    • Patched Versions: >=1.20.3
    • Found in Paths:
      @bull-board/nestjs@5.21.7 > @nestjs/core@10.4.1 > @nestjs/platform-express@10.4.1 > body-parser@1.20.2
    • More details: GitHub Advisory

  2. path-to-regexp - Outputs Backtracking Regular Expressions

    • Vulnerability: path-to-regexp is vulnerable to catastrophic backtracking.
    • Vulnerable Versions: >=2.0.0 <3.3.0, <1.9.0, <0.1.10
    • Patched Versions: >=3.3.0, >=1.9.0, >=0.1.10
    • Found in Paths:
      @bull-board/nestjs@5.21.7 > @nestjs/core@10.4.1 > path-to-regexp@3.2.0
      @bull-board/nestjs@5.21.7 > @nestjs/platform-express@10.4.1 > express@4.19.2 > path-to-regexp@0.1.7
    • More details: GitHub Advisory

  3. send - Vulnerable to Template Injection Leading to XSS

    • Vulnerability: send is vulnerable to a template injection attack that can lead to cross-site scripting (XSS).
    • Vulnerable Versions: <0.19.0
    • Patched Versions: >=0.19.0
    • Found in Paths:
      @bull-board/nestjs@5.21.7 > @nestjs/platform-express@10.4.1 > express@4.19.2 > send@0.18.0
    • More details: GitHub Advisory

  4. serve-static - Vulnerable to Template Injection Leading to XSS

    • Vulnerability: serve-static is vulnerable to template injection attacks, potentially leading to XSS.
    • Vulnerable Versions: <1.16.0
    • Patched Versions: >=1.16.0
    • Found in Paths:
      @bull-board/nestjs@5.21.7 > @nestjs/platform-express@10.4.1 > express@4.19.2 > serve-static@1.15.0
    • More details: GitHub Advisory

  5. express - Vulnerable to XSS via response.redirect()

    • Vulnerability: express is vulnerable to cross-site scripting (XSS) attacks via response.redirect().
    • Vulnerable Versions: <4.20.0
    • Patched Versions: >=4.20.0
    • Found in Paths:
      @bull-board/nestjs@5.21.7 > @nestjs/platform-express@10.4.1 > express@4.19.2
    • More details: GitHub Advisory

Recommendation: Please consider updating the affected dependencies to the patched versions to resolve these vulnerabilities and improve the security of the @bull-board/nestjs package.

Thank you for your attention to this matter, and please let me know if more information is required.

Best regards,
Iván Prieto

felixmosh commented 2 months ago

Hi, thank you, look like it is related to nest.js itself, and there is no fix release for it. When ever @nestjs/platform-express will release an update, we will be able to update it.

Ping them :]

felixmosh commented 2 months ago

Closing since it is not related to this lib direclty