search

nest-modules / mailer

📨 A mailer module for Nest framework (node.js)
https://nest-modules.github.io/mailer/
MIT License
837 stars 176 forks source link

#CVE-2021-3803 in mail module (nth-check dependency) #725

Closed juansedo closed 9 months ago

juansedo commented 2 years ago 
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Inefficient Regular Expression Complexity                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ nth-check                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @nestjs-modules/mailer                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @nestjs-modules/mailer > inline-css > cheerio >              │
│               │ css-select > nth-check                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-rp65-9cf3-cjxr            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Also, I found this info: https://nvd.nist.gov/vuln/detail/CVE-2021-3803

pavleprica commented 2 years ago

Any updates on this one? Is it resolved in new versions?

juansedo commented 2 years ago

@pavleprica 1.6.1 version doesn't solve this problem. Anyway, I was just reading about "resolutions" in yarn documentation, and it can be used for temporally solving this issue.

How to solve

Resolutions allow to change the used package in any dependency depth level, regardless dependency's package.json says.

I added this at the end of package.json:

  "resolutions": {
    "@nestjs-modules/mailer/**/nth-check": "2.1.0"
  }

Run yarn install, and it will be solved!

Checking solution

With npm list nth-check you can get the dependency tree and you will see a new warning: image

But you can assure that the vulnerability was solved.

Testing application

Program runs normally: image

And mailer service works so good, this is my Gmail Inbox: image

Yarn is OK, what about NPM?

npm has something like resolutions, it is called "overrides". You can see a link in Sources section.

Sources:

Overrides in npm Resolutions in yarn