Venom is a high-performance system developed with JavaScript to create a bot for WhatsApp, support for creating any interaction, such as customer service, media sending, sentence recognition based on artificial intelligence and all types of design architecture for WhatsApp.
The current version of venom-bot uses an outdated version of sharp (0.30.7), which is vulnerable to a high-severity security issue (CVE-2023-4863). This vulnerability in sharp's libwebp dependency can pose significant risks, especially when processing untrusted input.
Environment
Venom version(s): 5.0.21
Browser: [Not Applicable for this issue]
OS: MacOS Ventura
Node version: Node 18.16.0
Steps to Reproduce
This issue is related to the package dependency and does not require specific reproduction steps.
Expected Behavior
venom-bot should use a secure and updated version of sharp to mitigate the known vulnerabilities.
Actual Behavior
venom-bot currently uses sharp version 0.30.7, which includes the vulnerable libwebp dependency.
Suggested Solution
Please update the sharp dependency in venom-bot to version 0.32.6 or later, which includes the fixed libwebp version (1.3.2).
Log Output
Not applicable for this issue.
Additional Context
The security advisory for this vulnerability can be found here: GHSA-54xq-cgqr-rpm3. Addressing this issue is crucial for maintaining the security integrity of applications using venom-bot.
Description
The current version of
venom-bot
uses an outdated version ofsharp
(0.30.7), which is vulnerable to a high-severity security issue (CVE-2023-4863). This vulnerability insharp
'slibwebp
dependency can pose significant risks, especially when processing untrusted input.Environment
Steps to Reproduce
This issue is related to the package dependency and does not require specific reproduction steps.
Expected Behavior
venom-bot
should use a secure and updated version ofsharp
to mitigate the known vulnerabilities.Actual Behavior
venom-bot
currently usessharp
version 0.30.7, which includes the vulnerablelibwebp
dependency.Suggested Solution
Please update the
sharp
dependency invenom-bot
to version 0.32.6 or later, which includes the fixedlibwebp
version (1.3.2).Log Output
Additional Context
The security advisory for this vulnerability can be found here: GHSA-54xq-cgqr-rpm3. Addressing this issue is crucial for maintaining the security integrity of applications using
venom-bot
.