create-react-app icon indicating copy to clipboard operation
create-react-app copied to clipboard
verified publisher icon facebook

react-scripts 5 is using EJS as a dependency, which has "Server side template injection high CVE in [email protected]"

Open sonu-jmh opened this issue 2 years ago • 5 comments

  • React-scripts 5 is using [email protected] as inner dependency as described at the bottom.
  • [email protected] has a critical CVE with severity (9.8)
  • How the CVE is going to be solved when the react-scripts is being used?
  • Is there any alternative library present that can be used instead of ejs incase the fix for CVE is not available?
  • The author of ejs library is not acknowledging the cve and has warned to use the render method to avoid the vulnerability.

Dependency Path: react-scripts-5.0.1.tgz -> workbox-webpack-plugin-6.5.4.tgz -> workbox-build-6.5.4.tgz ->rollup-plugin-off-main-thread-2.2.3.tgz -> ejs-3.1.9.tgz

sonu-jmh avatar May 23 '23 12:05 sonu-jmh

Iam facing the same issue with [email protected]. Any ETA when it will be fixed ?

suryaprakash539 avatar Jul 25 '23 09:07 suryaprakash539

Iam facing the same issue with [email protected]. Any ETA when it will be fixed ?

Me too. any suggest? 😭😭😭

ninthz avatar Sep 08 '23 10:09 ninthz

Me too. any suggest? +1

oylp1988 avatar Sep 16 '23 03:09 oylp1988

Still not being fixed?

austinhoang221 avatar May 06 '24 07:05 austinhoang221

Hi Team, this is open now for 1 year, when react-script* update with fixes also will be available?
thank you, kind regards.

note - CVE-2024-33883:
react-scripts-5.1.0-next.14.tgz ->workbox-webpack-plugin-6.6.60.tgz-workbox-build-6.6.0.tgs -> rollup-plugin-off-main-thread-2.2.3.tgx-ejs3.1.9

sertechside avatar May 15 '24 09:05 sertechside