Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #288

Closed
EnzooKms opened this issue Feb 15, 2024 · 16 comments
Closed

NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #288

EnzooKms opened this issue Feb 15, 2024 · 16 comments

Comments

@EnzooKms
Copy link

socks-proxy-agent

This package uses socks version 2.7.1, which has a dependency vulnerability.

Use the new socks patch as https://www.npmjs.com/package/socks/v/2.7.3

resources :
@TooTallNate
Copy link
Owner

Run npm upgrade in your project. It'll pick up socks@2.7.3.

@RCMainak
Copy link

Hello @TooTallNate, the vulnerable ip package is being pulled by the default npm installation. I tried building a docker image with node 20 and ip package is present in the image. Let me know if I'm doing anything wrong.

image

Here's my Dockerfile,

FROM node:20
COPY ./app.js ./
CMD ["node", "./app.js"]

@TooTallNate
Copy link
Owner

You're not doing anything wrong. The Docker image contains what was released in the version of Node.js / npm which that image contains, which was published before the fix here was. You'll need to wait for a new version of the Docker image to be published.

@RCMainak
Copy link

Makes sense, thanks.

@TooTallNate TooTallNate mentioned this issue Feb 16, 2024
Closed
@invariants
Copy link

invariants commented Feb 16, 2024
edited
Loading

Run npm upgrade in your project. It'll pick up socks@2.7.3.

I upgraded to the latest npm, ran npm upgrade and i still get:

npm ls ip
...
└─┬ npm@10.4.0
 └─┬ make-fetch-happen@13.0.0
   └─┬ @npmcli/agent@2.2.0
     └─┬ socks-proxy-agent@8.0.2
       └─┬ socks@2.7.1
         └── ip@2.0.0

Wouldn`t it be better to just bump your dependency to socks "^2.7.3"?

@EnzooKms
Copy link
Author

Run npm upgrade in your project. It'll pick up socks@2.7.3.

I upgraded to the latest npm, ran npm upgrade and i still get:

npm ls ip
...
└─┬ npm@10.4.0
 └─┬ make-fetch-happen@13.0.0
   └─┬ @npmcli/agent@2.2.0
     └─┬ socks-proxy-agent@8.0.2
       └─┬ socks@2.7.1
         └── ip@2.0.0

Wouldn`t it be better to just bump your dependency to socks "^2.7.3"?

Use npm audit to fix that

@invariants
Copy link

invariants commented Feb 17, 2024
edited
Loading

Use npm audit to fix that

That dosn`t work as well. You can try it for yourself, make a new node project and install the latest npm as a dependency.

@EnzooKms
Copy link
Author

Use npm audit to fix that

That dosn`t work as well. You can try it for yourself, make a new node project and install the latest npm as a dependency.

npm audit
npm audit fix

Dosn't work ?

I don't know how to resolve then

@TooTallNate
Copy link
Owner

That issue is specific to the npm package itself, since it's bundling the dependencies using the bundleDependencies key in the package.json file. So the versions of dependencies that get installed are locked to what was available when that version of npm was published. Unfortunately there's not going to be anything I can do I my end to fix that.

@invariants
Copy link

invariants commented Feb 17, 2024
edited
Loading

That issue is specific to the npm package itself, since it's bundling the dependencies using the bundleDependencies key in the package.json file. So the versions of dependencies that get installed are locked to what was available when that version of npm was published. Unfortunately there's not going to be anything I can do I my end to fix that.

Ahh, thanks for clarifying! I'll look in the Npm Issue Tracker then.
EDIT: This seems to be the one npm/cli#7223

@TooTallNate
Copy link
Owner

Is there a reason you're concerned specifically with the deps that npm installs? It shouldn't be a dependency directly of your project except for rare circumstances.

@invariants
Copy link

Is there a reason you're concerned specifically with the deps that npm installs? It shouldn't be a dependency directly of your project except for rare circumstances.

Were using the https://github.com/semantic-release/npm plugin to create a private npm package in our CI/CD pipeline. This depends on npm and has over a million weekly downloads. So i would say its not that rare ;).

@TooTallNate TooTallNate mentioned this issue Feb 19, 2024
Closed
@invariants invariants mentioned this issue Feb 19, 2024
Closed
2 tasks
@dball
Copy link

dball commented Feb 19, 2024

FWIW, we're concerned with the deps that npm installs because the security vulnerability scanners flag them, and regulatory compliance requires that we mitigate them; I suspect we're not alone in this situation.

@mihob
Copy link

mihob commented Feb 20, 2024

Same situation here, any news on this topic?

@EnzooKms
Copy link
Author

Same situation here, any news on this topic?

U try npm audit ?

@TooTallNate
Copy link
Owner

I've already said that a new npm release needs to be made. I'm going to lock this thread.

Repository owner locked and limited conversation to collaborators Feb 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dball @TooTallNate @invariants @RCMainak @mihob @EnzooKms