Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue in Dependency - CVE-2022-24434 #566

Open
mheironimus-rgare opened this issue Jul 5, 2022 · 2 comments
Open

Security Issue in Dependency - CVE-2022-24434 #566

mheironimus-rgare opened this issue Jul 5, 2022 · 2 comments

Comments

@mheironimus-rgare
Copy link

NPM audit, and other security vulnerability scanning tools, are indicating the following issue in version 0.6.22 of serverless-s3-local:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Crash in HeaderParser in dicer                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dicer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-s3-local [dev]                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ serverless-s3-local > s3rver > busboy > dicer                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-wm7h-9275-46v2            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Could this issue be addressed in a future release?
@ar90n
Copy link
Owner

ar90n commented Jul 5, 2022
edited
Loading

Hi @mheironimus-rgare
Thanks for your comment. I found that there is a security issue in serverless-s3-local. But it seems that this issue is derived by s3rver. So I will update the dependency to s3rver when the new version of s3rver is released.

I'm not familiar with this issue. So if you know any other actions about this issue, please let me know?

@mheironimus-rgare
Copy link
Author

My understanding is the issue was addressed in busboy v1.0.0 (mscdex/busboy#250 (comment)). Hopefully a new version of s3rver will be released that uses a newer version of busboy. It appears the most recent version of s3rver was released back on 10/03/2021 (https://www.npmjs.com/package/s3rver). It still references busboy v0.3.1.

Thank you for your help with this issue.

@ar90n ar90n mentioned this issue Jul 11, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ar90n @mheironimus-rgare