search

orkestral / venom

Venom is a high-performance system developed with JavaScript to create a bot for WhatsApp, support for creating any interaction, such as customer service, media sending, sentence recognition based on artificial intelligence and all types of design architecture for WhatsApp.
https://orkestral.io
Apache License 2.0
6.08k stars 1.2k forks source link

Security Vulnerability in Dependency: sharp version used by `venom-bot` #2534

Closed Philipp2398 closed 6 months ago

Philipp2398 commented 11 months ago

Description

The current version of venom-bot uses an outdated version of sharp (0.30.7), which is vulnerable to a high-severity security issue (CVE-2023-4863). This vulnerability in sharp's libwebp dependency can pose significant risks, especially when processing untrusted input.

Environment

Expected Behavior

venom-bot should use a secure and updated version of sharp to mitigate the known vulnerabilities.

Actual Behavior

venom-bot currently uses sharp version 0.30.7, which includes the vulnerable libwebp dependency.

Suggested Solution

Please update the sharp dependency in venom-bot to version 0.32.6 or later, which includes the fixed libwebp version (1.3.2).

Log Output

Additional Context

The security advisory for this vulnerability can be found here: GHSA-54xq-cgqr-rpm3. Addressing this issue is crucial for maintaining the security integrity of applications using venom-bot.

orkestral commented 6 months ago

New Release: npm i venom-bot@5.1.0 We have support for Venom for just $15 per month, if you are interested, call our support via the link: https://web.whatsapp.com/send?phone=5561985290357