search

kogosoftwarellc / open-api

A Monorepo of various packages to power OpenAPI in node
MIT License
892 stars 235 forks source link

Vulnerability found in express-openapi 10.1.0 release #801

Closed linhenry0417 closed 2 years ago

linhenry0417 commented 2 years ago

One of the dependencies minimatch has a vulnerability that is fixed in its later 3.0.5 version. Since the latest 10.1.0 release of express-openapi still uses an older version of minimatch (3.0.4), it will need to be fixed or updated to avoid the vulnerability.

└─┬ express-openapi@10.1.0
  └─┬ openapi-framework@10.1.0
    └─┬ glob@7.1.6
      └── minimatch@3.0.4

Type: vulnerability CVE: PRISMA-2022-0039 Sev.: high Package Name: minimatch Package Ver.: 3.0.4 Status: fixed in 3.0.5 Description: minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It's possible to cause a denial of service when calling function braceExpand (The regex /{.*}/ is vulnerable and can be exploited).

linhenry0417 commented 2 years ago

Is there any plan on fixing the vulnerability? It looks like the issue still exists in the latest 11.0.0 release. Thanks.

└─┬ express-openapi@11.0.0
  └─┬ openapi-framework@11.0.0
    └─┬ glob@7.1.6
      └── minimatch@3.0.4

@jsdevel

linhenry0417 commented 2 years ago

@jsdevel Thanks for helping to address the issue. Was the issue fixed in the latest 11.0.1 release? I've tried to upgrade the package but minimatch was still not upgraded.

└─┬ express-openapi@11.0.1
  └─┬ openapi-framework@11.0.1
    └─┬ glob@7.1.6
      └── minimatch@3.0.4
jsdevel commented 2 years ago

@linhenry0417 it should have been. try wiping out node modules and re-install.