CVE-2022-24434

[chkp-idoma]

Hi,
Please fix CVE-2022-24434
need to make sure to update dicer to be <= 0.3.1
(by updating multer when possible - please follow expressjs/multer#1095)

npm ls output:

-- routing-controllers@0.9.0 -- multer@1.4.4
-- busboy@0.2.14 -- dicer@0.2.5

[zSakuraEvilz]

Hi
Is there no released version to fix this problem?.
This repo is dead, right?
It's been over a year and there no one new releases.

[gokuldeep-kk]

Facing a similar issue on performing a Snyk scan - https://security.snyk.io/vuln/SNYK-JS-DICER-2311764
The package version remains to be the same as mentioned above

[eladni101]

any update?

[look4regev]

It seems we have no choice but to replace to a better maintained alternative such as https://github.com/tsedio/tsed to resolve this high severity CVE. Any other ideas?

[roi972]

@look4regev @chkp-idoma - as fas as I understand the vulnerability occurs only if you expose a route with file upload.
Also, because this project isn't maintained, you can fork this project and update the related dependency. I tried this and the project tests pass (after making a small correction), but I didn't do any other tests (degradation)

[attilaorosz]

Should be fixed

[look4regev]

Thanks! The new release (v0.10.0) looks packed with goodies. Much appreciated.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.