search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

CVE-2022-36083 : JOSE vulnerable to resource exhaustion #534

Closed jagadish-m closed 2 years ago

jagadish-m commented 2 years ago

Describe the bug

Currently using the openid-client 5.1.8 and its dependent jose version is vulnerable version. https://github.com/advisories/GHSA-jv3g-j58f-9mq9

Please update the dependency package of openid-client so that the vulnerability fixed version of jose is picked up when installing openid-client package (npm i openid-client @latest)

updating the openid-client to the latest version didn't update the dependency "openid-client": "^5.1.8", "openid-client": "^5.1.10",

"node_modules/openid-client": {
      "version": "5.1.9",
      "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.1.9.tgz",
      "integrity": "sha512-o/11Xos2fRPpK1zQrPfSIhIusFrAkqGSPwkD0UlUB+CCuRzd7zrrBJwIjgnVv3VUSif9ZGXh2d3GSJNH2Koh5g==",

      "version": "5.1.10",
      "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.1.10.tgz",
      "integrity": "sha512-KYAtkxTuUwTvjAmH0QMFFP3i9l0+XhP2/blct6Q9kn+DUJ/lu8/g/bI8ghSgxz9dJLm/9cpB/1uLVGTcGGY0hw==",
      "dependencies": {
        "jose": "^4.1.4",
        "lru-cache": "^6.0.0",
        "object-hash": "^2.0.1",
        "oidc-token-hash": "^5.0.1"
      },
      "engines": {
        "node": "^12.19.0 || ^14.15.0 || ^16.13.0"
      },
      "funding": {
        "url": "https://github.com/sponsors/panva"
      }

Thank you

panva commented 2 years ago

Just run npm upgrade. This is a self healing process any user can run to update dependencies.

jagadish-m commented 2 years ago

Thanks for your response.

Please help us here.

panva commented 2 years ago

https://docs.npmjs.com/cli/v8/commands/npm-update/

I have no further advice. "npm update" to update transitive dependencies.

panva commented 2 years ago

Also npm audit --fix