gocardless-nodejs icon indicating copy to clipboard operation
gocardless-nodejs copied to clipboard
verified publisher icon gocardless

Critical `crypto-js` vulnerability (CVE-2023-46233)

Open mauricewegner opened this issue 2 years ago • 4 comments

CVE-2023-46233 (cve.org)

Affected versions < 4.2.0 It would be great if you could bump it.

mauricewegner avatar Oct 26 '23 02:10 mauricewegner

Crypto-js is no longer maintained. we should update code to use native crypto https://www.npmjs.com/package/crypto-js

rameshvr avatar Oct 27 '23 18:10 rameshvr

Fixed via https://github.com/gocardless/gocardless-nodejs/pull/168

mauricewegner avatar Nov 04 '23 03:11 mauricewegner

The release of 3.19.0 re-introduces this vulnerability as it downgraded the crypto-js library again (https://github.com/gocardless/gocardless-nodejs/commit/1e5ae78322c1bdb034ebba24594d1d5f659ed042)

A new release with #170 included would resolve this issue.

mauricewegner avatar Dec 12 '23 13:12 mauricewegner

FYI PR https://github.com/gocardless/gocardless-nodejs/pull/174 just re-introduced crypto-js

SteveOfficerSeccl avatar Jan 18 '24 15:01 SteveOfficerSeccl

Hello, At some point crypto-js was downgraded to 4.1.1, when CVE-2023-46233 is only fixed in 4.2.0. Could you please look into upgrading again to 4.2.0?

niabb avatar May 19 '25 15:05 niabb

Apologies for this - a fix is incoming.

jamiecobbett avatar May 19 '25 15:05 jamiecobbett

This has been resolved in v4.8.0

The crypto-js dependency has not been in use for some time, but it had been accidentally added back into package.json.

jamiecobbett avatar May 19 '25 16:05 jamiecobbett