Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular Expression Denial of Service vulerability in "ws" package #31646

Closed
dGalitsky opened this issue Jun 2, 2021 · 2 comments
Closed

Regular Expression Denial of Service vulerability in "ws" package #31646

dGalitsky opened this issue Jun 2, 2021 · 2 comments
Labels
Help Wanted :octocat: Issues ideal for external contributors.

Comments

@dGalitsky
Copy link

Description

React Native is using version 6.1.4 of ws. A new moderate vulnerability has been found for versions below 7.4.6: https://www.npmjs.com/advisories/1748.
Please consider upgrading ws to 7.4.6.

React Native version:

System:
    OS: macOS 11.4
    CPU: (8) x64 Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz
    Memory: 48.56 MB / 16.00 GB
    Shell: 5.8 - /bin/zsh
  Binaries:
    Node: 12.16.3 - /usr/local/bin/node
    Yarn: 1.22.4 - /usr/local/bin/yarn
    npm: 6.14.4 - /usr/local/bin/npm
    Watchman: 4.9.0 - /usr/local/bin/watchman
  Managers:
    CocoaPods: 1.10.1 - /usr/local/bin/pod
  SDKs:
    iOS SDK:
      Platforms: iOS 14.5, DriverKit 20.4, macOS 11.3, tvOS 14.5, watchOS 7.4
    Android SDK: Not Found
  IDEs:
    Android Studio: 4.2 AI-202.7660.26.42.7322048
    Xcode: 12.5/12E262 - /usr/bin/xcodebuild
  Languages:
    Java: 13.0.2 - /usr/bin/javac
  npmPackages:
    @react-native-community/cli: ~4.14.0 => 4.14.0 
    react: ~17.0.1 => 17.0.1 
    react-native: ~0.64.1 => 0.64.1 
    react-native-macos: Not Found
  npmGlobalPackages:
    *react-native*: Not Found

Steps To Reproduce

  1. install react-native@0.64.1
  2. run npm audit
  3. observe new vulnerability

Expected Results

No vulnerabilities found

Snack, code example, screenshot, or link to a repository:

image
@rickycodes rickycodes mentioned this issue Jun 3, 2021
Closed
@digitalIntrospection
Copy link

although I see #31648 is closed, I am still seeing this vulnerable version of "ws" in react-native 0.69.2, and in the 'main' development branch.

Forgive my ignorance as I'm trying to understand the process. I'm confused about how to know whether this means it will be included in an upcoming release or not (also whether its better to comment here, or on the closed issue which seemingly has merged the fix).

Can someone clarify what is the status?

Also, I saw in #20222 a developer indicated that 'ws' is only for development/testing purposes; if this is true, is there a reason its not in the 'devDependencies' section?

Thanks

@cortinico
Copy link
Contributor

although I see #31648 is closed, I am still seeing this vulnerable version of "ws" in react-native 0.69.2, and in the 'main' development branch.

Please note that #31648 was never merged.

if this is true, is there a reason its not in the 'devDependencies' section?

Not sure at this stage, but it should be fine sending a PR for moving it + bumping. We can take a look at what are the current blockers.

@cortinico cortinico added Help Wanted :octocat: Issues ideal for external contributors. and removed Needs: Triage 🔍 labels Jul 22, 2022
@gabrieldonadel gabrieldonadel mentioned this issue Sep 21, 2022
Closed
OlimpiaZurek pushed a commit to OlimpiaZurek/react-native that referenced this issue May 22, 2023
@gabrieldonadel @OlimpiaZurek
build: Bump ws to 6.2.2 due to ReDoS vulnerability (facebook#34759)
26015c5 
Summary:
A moderate vulnerability was found in all versions of `ws` below 7.4.6 June last year. React native current uses v6.1.4 which is susceptible to it, fortunately this security fix has been backported to v6.X.X and we don't need to upgrade any major versions/worry about breaking changes. This PR bumps `ws` to 6.2.2 ([CHANGELOG](https://github.com/websockets/ws/releases/tag/6.2.2)) due to this ReDoS vulnerability

More information about this vulnerability can be found here -> GHSA-6fc8-4gx4-v693

Closes facebook#31646

## Changelog

[Internal] [Security] - Bump ws to 6.2.2 due to ReDoS vulnerability

Pull Request resolved: facebook#34759

Test Plan:
Ensure WebSocket tests are working as expected

Tested HMR working on Twilight
| iOS | Android |
| https://pxl.cl/2g70M | https://pxl.cl/2g70V |

Reviewed By: hramos, cortinico

Differential Revision: D39722905

fbshipit-source-id: 12088ab5ea26d904675de484e2014949d6696465
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Help Wanted :octocat: Issues ideal for external contributors.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: Bump ws to 6.2.2 due to ReDoS vulnerability gabrieldonadel/react-native
3 participants
@cortinico @dGalitsky @digitalIntrospection