serverless-cloudfront-invalidate icon indicating copy to clipboard operation
serverless-cloudfront-invalidate copied to clipboard
verified publisher icon aghadiry

Security: Transitive remote code execution vulnerabiility through proxy-agent -> ... -> vm2 (CVE-2023-37903)

Open Ilnore opened this issue 2 years ago • 1 comments

https://www.cve.org/CVERecord?id=CVE-2023-37903

The vm2 library is vulnerable to a remote code execution attack, and the library is discontinued and no further updates are expected there to fix this.

The dependency chain for this is:

[email protected][email protected][email protected][email protected][email protected][email protected]

The fix for serverless-cloudfront-invalidate would be to upgrade to proxy-agent 6.3.0 or newer. Proxy-agent 6.3.0 transitions away from vm2 to quickjs-emscripten.

https://github.com/TooTallNate/proxy-agents/releases/tag/proxy-agent%406.3.0

https://github.com/TooTallNate/proxy-agents/releases/tag/pac-proxy-agent%407.0.0

There is a fix waiting in PR #43 already.

Ilnore avatar Dec 14 '23 06:12 Ilnore

https://github.com/thwalker6/serverless-cloudfront-invalidate

if you want to use this fork this will resolve it. I put it as serverless-cf-invalidate-proxy because I'm not to creative with names.

thwalker6 avatar Dec 15 '23 20:12 thwalker6