search

vuejs / vue-cli

🛠️ webpack-based tooling for Vue.js Development
https://cli.vuejs.org/
MIT License
29.75k stars 6.33k forks source link

Template injection in ejs, critical vulnerability #7188

Open gagrison opened 2 years ago

gagrison commented 2 years ago

Version

4.5.17

Environment info

System:
    OS: Linux 5.4 Ubuntu 20.04.4 LTS (Focal Fossa)
    CPU: (8) x64 Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz
  Binaries:
    Node: 14.19.3 - /usr/local/bin/node
    Yarn: 1.22.18 - ~/.npm/bin/yarn
    npm: 6.14.17 - /usr/local/bin/npm
  Browsers:
    Chrome: 102.0.5005.61
    Firefox: 100.0.2
  npmPackages:
    @ckeditor/ckeditor5-vue2: ~3.0.0 => 3.0.1 
    @johmun/vue-tags-input: ~2.1.0 => 2.1.0 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.1.1 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.17 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.17 
    @vue/cli-plugin-babel: ~4.5.11 => 4.5.17 
    @vue/cli-plugin-eslint: ~4.5.11 => 4.5.17 
    @vue/cli-plugin-router: ~4.5.11 => 4.5.17 
    @vue/cli-plugin-unit-jest: ~4.5.15 => 4.5.17 
    @vue/cli-plugin-vuex: ~4.5.11 => 4.5.17 
    @vue/cli-service: ~4.5.11 => 4.5.17 
    @vue/cli-shared-utils:  4.5.17 
    @vue/component-compiler-utils:  3.3.0 
    @vue/eslint-config-airbnb: ~5.3.0 => 5.3.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/test-utils: ~1.3.0 => 1.3.0 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ~7.19.1 => 7.19.1 
    jest-serializer-vue:  2.0.2 
    vue: ~2.6.12 => 2.6.14 
    vue-class-component:  7.2.6 
    vue-cli-plugin-style-resources-loader: ~0.1.4 => 0.1.5 
    vue-color: ~2.8.0 => 2.8.1 
    vue-content-placeholders: ~0.2.1 => 0.2.1 
    vue-easy-lightbox: ~0.16.0 => 0.16.2 
    vue-eslint-parser:  7.11.0 
    vue-hot-reload-api:  2.3.4 
    vue-hotjar: ~1.4.0 => 1.4.0 
    vue-jest:  3.0.7 
    vue-loader:  15.9.8 (16.8.3)
    vue-property-decorator:  8.5.1 
    vue-resize:  1.0.1 
    vue-router: ~3.5.1 => 3.5.4 
    vue-slick: ~1.1.0 => 1.1.20 
    vue-slider-component: ~3.2.11 => 3.2.15 
    vue-style-loader:  4.1.3 
    vue-template-compiler: ~2.6.12 => 2.6.14 
    vue-template-es2015-compiler:  1.9.1 
    vue-virtual-scroll-list: ~2.3.2 => 2.3.3 
    vuedraggable: ~2.24.3 => 2.24.3 
    vuelidate: ~0.7.6 => 0.7.7 
    vuescroll: ~4.17.3 => 4.17.3 
    vuex: ~3.6.2 => 3.6.2 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

Create vue project using vue create. Execute npm audit.

What is expected?

No critical vulnerabilities

What is actually happening?

There is a critical vulnerability https://github.com/advisories/GHSA-phwq-j96m-2c2q

Moving to vue-cli 5 is not an option because of https://github.com/vuejs/vue-cli/issues/7026

guyschlider commented 2 years ago

any plans to address this issue?