loopback-connector-rest icon indicating copy to clipboard operation
loopback-connector-rest copied to clipboard
verified publisher icon loopbackio

Potential exposure to CVE-2021-3918 - Score 9.8

Open felix-hcl opened this issue 4 years ago • 3 comments

Steps to reproduce

  1. Install loopback-connector-rest
  2. run npm ls json-schema

Current Behavior

The vulnerable version of json-schema is a sub-dependency of [email protected] which is the latest version of the deprecated http client.

└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

Expected Behavior

Usage of non-deprectated package which are not exposed to security vulnerabilities.

Additional information

https://nvd.nist.gov/vuln/detail/CVE-2021-3918 Fixes exist for json-schema, jsprim and http-signature but request does not accept [email protected] which would resolve this issue: https://github.com/joyent/node-http-signature/blob/master/CHANGES.md#136

Related Issues

https://github.com/loopbackio/loopback-connector-rest/issues/147

felix-hcl avatar Dec 03 '21 16:12 felix-hcl

@felix-hcl, thanks for reporting this. Since request has been deprecated, it would be good to replace request module to another similar module (as you've pointed out #147). IIRC, @marioestradarosa was looking into replacing request with axios but have some concerns about it. But I couldn't seem to find where the discussion happened. @marioestradarosa, any insights?

dhmlau avatar Dec 04 '21 00:12 dhmlau

Hello @dhmlau, Thankfully in the meantime there was a fix in a sub-package so request is currently no longer vulnerable. Still the underlying issue remains by relying on a 2 year deprecated package. Is this loopback connector still maintained an recommended to be used?

felix-hcl avatar Jan 04 '22 08:01 felix-hcl

Replaced request with a well-maintained fork - https://github.com/loopbackio/loopback-connector-rest/pull/179

samarpanB avatar Mar 03 '24 16:03 samarpanB