KoenRijpstra
commented
9 months ago Thanks for reporting. Looking into it now.
Closed dandersonlittle closed 2 months ago
KoenRijpstra
commented
9 months ago Thanks for reporting. Looking into it now.
KoenRijpstra
commented
9 months ago Our SDK utilizes the Irys SDK for image uploads to Arweave. A vulnerability has been identified in their package. We've raised an issue (https://github.com/Irys-xyz/js-sdk/issues/116) to address this matter, and once resolved, we will update our package accordingly.
Thanks again for reporting!
dandersonlittle
commented
9 months ago Thank you for explaining the usage of the Irys SDK. Thank you for following up.
0xIchigo
commented
2 months ago Can be considered resolved with #139
Summary: I believe I have identified a security vulnerability in the helius-sdk package and its dependencies. The issue relates to the version of Axios being used in the package's dependency chain, which is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability (severity: moderate). This vulnerability can potentially expose applications to security risks.
Steps to Reproduce: Install the helius-sdk package using the command: npm install helius-sdk Check the npm audit report using: npm audit
Observed Behavior: The npm audit report identifies the following vulnerabilities:
Axios (0.8.1 - 1.5.1): Moderate severity CSRF vulnerability. Advisory Link aptos (<= 1.13.3): Depends on vulnerable Axios versions. @irys/sdk: Depends on vulnerable versions of aptos. helius-sdk (>= 1.0.16): Depends on vulnerable versions of @irys/sdk.
Expected Behavior: The helius-sdk package should use an updated version of Axios that does not have known security vulnerabilities.
Impact: The identified vulnerabilities may expose applications to potential security threats and could lead to unauthorized actions, data breaches, or other security issues.
Additional Information: The vulnerability report indicates that updating Axios to a secure version is a possible solution, but it may result in a breaking change (helius-sdk@1.0.15).
Steps Taken: I've made sure my node and npm are fully updated.
Environment: Node.js version: 20.11.0 npm version: 10.2.4
Additional Notes: This is the first GitHub issue I've reported. There could be a misunderstanding on my part. Also this vulnerability may not even affect anything about the functionality of the library. I'm testing out the Helius SDK and thought I would report it. Thank you.