Uploaded image for project: 'stripes-webpack'
  1. stripes-webpack
  2. STRWEB-50

favicons with url-regex DoS (CVE-2020-7661)

    XMLWordPrintable

Details

    • Stripes Force

    Description

      stripes-core has this dependency:

      "favicons-webpack-plugin": "^3.0.1"
        favicons "5.5.0"
          to-ico "^1.1.5"
            resize-img "^1.1.0"
              jimp "^0.2.21"
                url-regex "^3.0.0"
      

      All versions of url-regex have a denial-of-service vulnerability, the package seems to be unmaintained:
      https://nvd.nist.gov/vuln/detail/CVE-2020-7661
      https://github.com/kevva/url-regex/issues/70

      jimp >= 0.3.0 no longer has the url-regex dependency: https://github.com/oliver-moran/jimp/commit/a13e939b57a4e2b9ec9192c43e807cd456e6e4f9

      resize-img >= 2.0.0 depends on "jimp": "^0.8.3".

      to-ico 1.1.5 is the latest version and still depends on resize-img "^1.1.0". There is a pull request with a fix https://github.com/kevva/to-ico/pull/19 but the repository has been unmaintained since August 2017.

      The favicons maintainers say: "But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally." https://github.com/itgalaxy/favicons/issues/322

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                rberger Ryan Berger
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:

                  TestRail: Runs

                    TestRail: Cases