Vulnerability in "node-forge" transitive dependency of "webpack-dev-server" in "@vue/cli-service": Prototype Pollution

[piraces]

Version

4.5.6

Environment info

Environment Info:

  System:
    OS: Windows 10 10.0.19041
    CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
  Binaries:
    Node: 12.18.3 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
    npm: 6.14.8 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chrome: 85.0.4183.121
    Edge: Spartan (44.19041.423.0), Chromium (85.0.564.63), ChromiumDev (87.0.654.0)
  npmPackages:
    @ant-design-vue/babel-helper-vue-transform-on:  1.0.1
    @types/vue2-editor: ^2.6.0 => 2.6.0
    @vue/babel-helper-vue-jsx-merge-props:  1.0.0
    @vue/babel-plugin-transform-vue-jsx:  1.1.2
    @vue/babel-preset-app: ^4.1.1 => 4.5.4
    @vue/babel-preset-jsx:  1.1.2
    @vue/babel-sugar-functional-vue:  1.1.2
    @vue/babel-sugar-inject-h:  1.1.2
    @vue/babel-sugar-v-model:  1.1.2
    @vue/babel-sugar-v-on:  1.1.2
    @vue/cli-overlay:  4.5.6
    @vue/cli-plugin-babel: ^4.1.1 => 4.5.4
    @vue/cli-plugin-eslint: ^4.1.0 => 4.5.4
    @vue/cli-plugin-router:  4.5.6
    @vue/cli-plugin-typescript: ^4.1.1 => 4.5.4
    @vue/cli-plugin-unit-mocha: ^4.1.1 => 4.5.4
    @vue/cli-plugin-vuex:  4.5.6
    @vue/cli-service: 4.5.6 => 4.5.6
    @vue/cli-shared-utils:  4.5.4 (4.5.6)
    @vue/component-compiler-utils:  3.2.0
    @vue/composition-api: ^1.0.0-beta.3 => 1.0.0-beta.3
    @vue/eslint-config-airbnb: ^4.0.0 => 4.0.1
    @vue/eslint-config-typescript: ^4.0.0 => 4.0.0
    @vue/preload-webpack-plugin:  1.1.2
    @vue/test-utils: 1.0.0-beta.29 => 1.0.0-beta.29
    @vue/web-component-wrapper:  1.2.0
    ag-grid-vue: ^21.2.2 => 21.2.2
    eslint-plugin-vue: ^6.1.2 => 6.1.2
    typescript: ^3.4.2 => 3.5.3
    vue: ^2.6.10 => 2.6.10 (2.6.11)
    vue-class-component: ^6.3.2 => 6.3.2
    vue-d2b: ^1.0.15 => 1.0.15
    vue-directive-tooltip: ^1.6.3 => 1.6.3
    vue-eslint-parser:  7.0.0
    vue-hot-reload-api:  2.3.4
    vue-i18n: ^8.10.0 => 8.12.0
    vue-json-pretty: ^1.6.2 => 1.6.2
    vue-loader:  15.9.3 (16.0.0-beta.8)
    vue-moment: ^4.0.0 => 4.1.0
    vue-property-decorator: ^7.3.0 => 7.3.0
    vue-resize-directive: ^1.2.0 => 1.2.0
    vue-router: ^3.0.3 => 3.0.7
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.6.10 => 2.6.10
    vue-template-es2015-compiler:  1.9.1
    vue2-ace-editor: 0.0.11 => 0.0.11
    vue2-editor: ^2.10.2 => 2.10.2
    vuex: ^3.1.0 => 3.1.1
    vuex-class: ^0.3.2 => 0.3.2
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

Install latest version of @vue/cli-service and try to run yarn audit or npm audit and see that the following advisory is shown (in this case yarn):

❯ yarn audit
yarn audit v1.22.5
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution in node-forge                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-forge                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 0.10.0                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-service > webpack-dev-server > selfsigned >         │
│               │ node-forge                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1561                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1932
Severity: 1 High
Done in 3.27s.

What is expected?

Yarn audit or npm audit should return no vulnerabilities.

What is actually happening?

Yarn audit or npm audit should return one high vulnerability.

---

Since it is the latest version and the vulnerability is highlighted as high, it would need to be fixed (upgrading node-forge).

Related NPM advisory: https://www.npmjs.com/advisories/1561

[LinusBorg]

as shown in the vulnerablity report you pasted, this is s transitive dependency of webpack-dev-server. we can't upgrade it on our end.

[LinusBorg]

also, looking at the Report, it seems that the effect it features are utility functions that are not used by the features that note for itself provides. So unless we're packed deaths over does make use of these utilities and does so in an unsafe way, which is very unlikely, this is not really a serious vulnerability in our context.

[piraces]

Thanks for the clarification @LinusBorg ! I have changed the title of the issue reflecting that is a transitive dependency.
Knowing that it does not have impact in vue-cli is good. Nevertheless, I think vue-cli should upgrade webpack-dev-server when resolved in their side.

Related PRs in webpack-dev-server:
webpack/webpack-dev-server#2752
webpack/webpack-dev-server#2740

Related Issues in webpack-dev-server:
webpack/webpack-dev-server#2755

[LinusBorg]

since that will result in a patch release of webpack-dev-server, newly created projects will get that new version as soon as its out.

Existing projects need to explicitly upgrade themselves, i.e. by deleting the lockfile and running the package install again (npm i / yarn)

[piraces]

That is correct. Should I close this issue or keep it open until webpack-dev-server patches it for reference?

[LinusBorg]

keep it open fir reference, other people might come here with the same question

[piraces]

Closing due to webpack/webpack-dev-server#2755 . If you upgrade your transitive dependencies in yarn.lock or package-lock.json of webpack-dev-server exactly the dependency for selfsigned, then node-forge gets updated and the vulnerability gets resolved.