Closed MarcinHoppe closed 3 years ago
rezonant
commented
4 years ago Hello from the jsonpath community-- it seems clear that the original author doesn't have time for this but we are using jison to generate the parser. Can you give us an idea of the risk of this security issue?
MarcinHoppe
commented
4 years ago The issue has already been disclosed: https://hackerone.com/reports/690010. We will be requesting a CVE for it.
metasansana
commented
4 years ago @MarcinHoppe the exploit example seems legit but it looks to me like that's dead code. That said, this project desperately needs TLC.
MarcinHoppe
commented
4 years ago That's true, we have been unable to get in touch with the maintainer and had to disclose the vulnerability without the fix available.
skanaar
commented
3 years ago The issue is a false positive. If you use Jison via NPM you will not be exposed to the offending code.
The steps to reproduce explicitly says that you have to git clone some other code than the published package.
skanaar
commented
3 years ago The NPM security team has now removed advisory 1566 which is their name of the https://hackerone.com/reports/690010 report.
They did this as the report is a false positive, the npm package does not contain the reported vulnerability.
skanaar
commented
3 years ago GitHub has also removed their security advisory associated with this report.
@MarcinHoppe perhaps this issue can be closed?
MarcinHoppe
commented
3 years ago @skanaar yes! I will update the HackerOne report.
I'm a member of the Node.js Ecosystem Security Working Group and we received a report of a vulnerability in this module.
We tried inviting the author by e-mail but received no response so I'm opening this issue and inviting anyone with commit and npm publish rights to collaborate with us on a fix.