ReDoS Vulnerability #412
Comments
nttibbetts
added a commit
to nttibbetts/webpack-hot-middleware
that referenced
this issue
Sep 9, 2021
This fixes the vulnerability reported in [CVE-2021-23424][CVE], by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
nttibbetts
added a commit
to nttibbetts/webpack-hot-middleware
that referenced
this issue
Sep 9, 2021
This fixes the vulnerability reported in [CVE-2021-23424][CVE], by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse#19 [412]: webpack-hot-middleware#412
nttibbetts
added a commit
to nttibbetts/webpack-hot-middleware
that referenced
this issue
Sep 9, 2021
This fixes the vulnerability reported in [CVE-2021-23424][CVE], by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
nttibbetts
added a commit
to nttibbetts/webpack-hot-middleware
that referenced
this issue
Sep 9, 2021
This fixes the vulnerability reported in [CVE-2021-23424][CVE] by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
nttibbetts
added a commit
to nttibbetts/webpack-hot-middleware
that referenced
this issue
Sep 9, 2021
This is a fix for the vulnerability reported in [CVE-2021-23424][CVE] by replacing the ansi-html dependency with a fork of the project that has the [suggested fix][ansi-html-fix] and resolves [webpack-contrib#412][412] [CVE]: https://nvd.nist.gov/vuln/detail/CVE-2021-23424 [ansi-html-fix]: Tjatse/ansi-html#19 [412]: webpack-contrib#412
6 tasks
|
Will there be a release based on this? |
|
Released in |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How Do We Reproduce?
This is a vulnerability in ansi-html, which this package depends on. To repro, you can use the command below as described Tjatse/ansi-html#19.
Unfortunately, ansi-html seems to be unmaintained. There were several options discussed about what to do here webpack/webpack-dev-server#3576 and was fixed by switching to a fork of ansi-html called ansi-html-community. It was merged here webpack/webpack-dev-server#3801
While this package shouldn't be running in production, using unmaintained packages is an issue and vulnerability scanners pickup the fact that any project using webpack-hot-middleware is pulling in the vulnerable ansi-html package.
The text was updated successfully, but these errors were encountered: