Regex DoS (ReDos) Vulnerability [FIXED]

[drewjenkins]

From Snyk

✗ High severity vulnerability found on foreman@2.0.0

• desc: Regular Expression Denial of Service (ReDoS)
• info: https://snyk.io/vuln/npm:foreman:20180429

[drewjenkins]

This still affects version 3.0.0 as well

[phpfs]

Any updates to this?

[rmg]

I'm about to work on a fix for this, but in the mean time I'd like to list some of the mitigating factors involved so users can decide if they are affected by this or not.

This only affects the --forward feature, which is a development-time convenience feature for running a local http proxy that you can configure your browser to use.

If you're running this proxy in a publicly accessible manner then this vulnerability is probably the least of your concerns.

[rmg]

v3.0.1 has been published with a fix.

[rmg]

I'm at a loss as to how to update the vulnerability DBs 😞

• https://snyk.io/vuln/npm:foreman:20180429 isn't in https://github.com/snyk/vulnerabilitydb so there's nothing to open a pull request against
• https://hackerone.com/reports/320586 doesn't appear to have an mechanism for reporting updates

It would also be nice to update the update the severity since "high" seems a little misleading considering you need to do something already considered dangerous (run a dev tool as a public open proxy) in order to even expose this.

[Glutnix]

Do you just email security@npmjs.org or report@nodesecurity.io ?

[rmg]

Snyk and HackerOne are not affiliated with npm/nsp so I'm not sure what they would be able to do about it.

[fmagaldea]

This stills affects version 3.0.1 as well, here is "npm audit" report extract:

[rmg]

@fmagaldea that advisory is incorrect.

[sonicoder86]

@rmg How can we fix the npm audit error?

[AmirBraham]

Any updates to this ? I get the vulnerability is fixed but it's still showing the advisory

[rmg]

I've sent an email to security@npmjs.com to ask them to update the record.

[Pilatch]

When you do get that record updated, would you bump the version to 3.0.2 to make sure our random internal processes see it as a new artifact?

[msakrejda]

I just installed node-foreman and ran npm audit and I got no open advisories. It looks like https://www.npmjs.com/advisories/645 now notes "Upgrade to 3.0.1" is the fix @rmg so maybe this can just be closed?