Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(security)(RCE) Upgrade jsonpath-plus to @^10.0.0 #4770

Open
adrsimon opened this issue Oct 11, 2024 · 2 comments · May be fixed by #4778
Open

(security)(RCE) Upgrade jsonpath-plus to @^10.0.0 #4770

adrsimon opened this issue Oct 11, 2024 · 2 comments · May be fixed by #4778

Comments

@adrsimon
Copy link

Hello,

Snyk reported a security issue in one of my repos, because of one of the dependencies used by dd-trace-js.
You can find the report here : https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

dd-trace-js uses jsonpath-plus@^9.0.0 which contains a RCE.

The only thing to do is upgrade the lib.

Thanks !
@adrsimon adrsimon changed the title Update jsonpath-plus to @^10.0.0 Upgrade jsonpath-plus to @^10.0.0 Oct 11, 2024
@adrsimon adrsimon changed the title Upgrade jsonpath-plus to @^10.0.0 (security)(RCE) Upgrade jsonpath-plus to @^10.0.0 Oct 11, 2024
@AidenPoultonProlific
Copy link

We're using pnpm and adding the following to package.json at least bumped the dependency for us, a quick ephemeral deployment shows tracing is still working however it's hard to say there aren't side-effects from this, so I would tread carefully if you're pushing this out to production. (especially ahead of the weekend)

 "pnpm": {
    "overrides": {
      "jsonpath-plus": "10.0.0"
    }
  }

@monwolf
Copy link

monwolf commented Oct 14, 2024

For searching purposes, this relates to CVE-2024-21534

juancarlosjr97 added a commit to juancarlosjr97/datadog-trace-js that referenced this issue Oct 14, 2024
@juancarlosjr97
Upgrading jsonpath-plus to v10 to resolve CVE-2024-21534
b92e870 
Fixes DataDog#4770
@juancarlosjr97 juancarlosjr97 linked a pull request Oct 14, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrading jsonpath-plus to v10 to resolve CVE-2024-21534 juancarlosjr97/datadog-trace-js
3 participants
@monwolf @adrsimon @AidenPoultonProlific