Latest newrelic version uses vulnerable ws package version, CVE-2024-37890

newrelic / node-newrelic

New Relic Node.js agent code base. Developers are welcome to create pull requests here, please see our contributing guidelines. For New Relic technical support, please go to http://support.newrelic.com.

Apache License 2.0

971 stars 399 forks source link

Latest newrelic version uses vulnerable ws package version, CVE-2024-37890 #2286

Closed tomerelkayam closed 4 months ago

tomerelkayam commented 4 months ago

Description

Latest newrelic version uses vulnerable ws package version 8.14.2, CVE-2024-37890 (@newrelic/security-agent version 1.3.0 is using ws package version 8.14.2)

Expected Behavior

Please upgrade @newrelic/security-agent to use ws >= 8.17.1 https://github.com/newrelic/csec-node-agent/blob/main/package.json

workato-integration[bot] commented 4 months ago

https://new-relic.atlassian.net/browse/NR-282429

mrickard commented 4 months ago

Thank you for letting us know, @tomerelkayam ! The Security Agent is managed by a different team, so we're closing it on this repo. Would you be able to open this issue on their repo? We'll update when there's a new version of the Security Agent.

The Security Agent is a dependency of our Node Agent, but we recommend not enabling the Security Agent in production, so production applications shouldn't encounter the code paths that use the vulnerable version.

sumitsuthar commented 4 months ago

@tomerelkayam you can fix the CVE by installing latest newrelic agent using npm install newrelic@latest which will install latest ws package(v8.17.1).