You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
2 High Vulnerabilities and 1 Medium Vulnerability were found via Checkmarx scanning of the PM2 version 5.4.0, released 11 days ago.
The High Vulnerabilities are for the debug library, being the following ones:
In NPM debug, the enable function accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service). URL to the GitHub issue on this topic for debug: Regex injection in enable(namespaces) debug-js/debug#737
NPM debug prior to 4.3.0 has a Memory Leak when creating debug instances inside a function which can have a significant impact in the Availability. This happens since the function debug in the file src/common.js does not free up used memory. URL to the GitHub issue on this topic for debug: memory leak when instance is created inside a function. debug-js/debug#678
The Medium vulnerability is for the commander library:
A local code/OS command execution vulnerability was discovered in Commander.js, in the “parse()” method. Given a permission to write and set permissions on a file in the same working directory as the application, and given the ability to pass the value “proto” to the “parse()” method, an attacker can bypass checks against values set in _execs[] to execute an external file which was not intended. The URL to the issue & release on this topic for commander: https://github.com/tj/commander.js/releases/tag/v3.0.2
How could we reproduce this issue?
By scanning via the Checkmarx OSA Scanning procedure.
Supporting information
The solution would be to upgrade the commander library to at least version 2.20.1, all the way up to the latest version which is 12.1.0.
and the solution for the debug library is to upgrade to at least 4.3.5, or all the way up to the latest version.
The text was updated successfully, but these errors were encountered:
What's going wrong?
2 High Vulnerabilities and 1 Medium Vulnerability were found via Checkmarx scanning of the PM2 version 5.4.0, released 11 days ago.
The High Vulnerabilities are for the
debuglibrary, being the following ones:In NPM
debug, theenablefunction accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service). URL to the GitHub issue on this topic fordebug: Regex injection inenable(namespaces)debug-js/debug#737NPM
debugprior to 4.3.0 has a Memory Leak when creatingdebuginstances inside a function which can have a significant impact in the Availability. This happens since the functiondebugin the filesrc/common.jsdoes not free up used memory. URL to the GitHub issue on this topic fordebug: memory leak when instance is created inside a function. debug-js/debug#678The Medium vulnerability is for the
commanderlibrary:commander: https://github.com/tj/commander.js/releases/tag/v3.0.2How could we reproduce this issue?
By scanning via the Checkmarx OSA Scanning procedure.
Supporting information
The solution would be to upgrade the
commanderlibrary to at least version2.20.1, all the way up to the latest version which is12.1.0.and the solution for the
debuglibrary is to upgrade to at least4.3.5, or all the way up to the latest version.The text was updated successfully, but these errors were encountered: