Erroneous CVE causing havoc with package vulnerability scanners (2.6.9)

[tkilminster-sc]

Technically an issue but not with code. More of an FYI for the package owner and others experiencing issues with failing security audits.

Summary is a new CVE CVE-2017-20165 that appears to be a duplicate of CVE-2017-16137 erroneously identifies 2.6.9 as being vulnerable.

@dougwilson from the express project took the time to do the top level investigation, thread is available here

[joebowbeer]

Affected versions reported as < 3.1.0 in the GitHub Advisory Database:

GHSA-9vvw-cc9w-f27h

[Qix-]

Thanks for bringing it up, I believe #921 also tried to bring this up but I didn't have enough context to really say much specifically about this case. My comment there still stands, however.

Unfortunately not much I can do about this, security "researcher" trolls have been trying to make a quick buck off bounty sites using debug for a few years now. It looks like someone stepped on someone else's toes also trying to cash out.

I can't really do much about it - from my perspective, the entire CVE system is broken. I have zero power over these reports, and issues such as this are the only way I even know they exist. Nobody even tries to reach out these days, they just file new CVEs in order to claim bounties on e.g. Huntr.dev and the like.

Sorry this is causing you issues :/ If there's something actionable I can do from my end, please let me know.

Thanks for opening the ticket and letting me know! Appreciate it :)

[Qix-]

It should be pointed out that CVE-2017-20165 was filed by VulDB, which itself is a paywalled site paying out up to 5k for an exploit for this (https://vuldb.com/?id.217665).

At least from my end,

1. There have been no formal security reports to me, and no good-faith attempts here on the repository
2. No contact is listed for who filed this (it appears to be some automated system, which I choose not to believe is the case)
3. This site is not only performing its own payouts (which incentivizes people to abuse their system) but also charges to view the details of the report - even though I am the maintainer. I'm aware the accounts are "free" but I should not have to disclose my own personal information just to see a security report about code I maintain. That's garbage, and they know it.

Shit like this makes a mockery of the security community and I refuse to partake. I would hope that other advisory relay systems such as NPM's and Github's discard such blatantly trashy, dark-pattern riddled and hostile services altogether.

Please stop filing issues about this CVE. I will simply close them. They waste my time, this whole thing has completely turned me off from not only debug but the Node.js community as a whole. Might I suggest Rust?

Further, I'd say you should probably stop using debug altogether. It has a bad API design, relies on side effects for its functionality, is systematically misused by consumers (e.g. .enable() should never have been a thing - this library should have been environment variable driven only from the start), and the next major version is currently (and seemingly indefinitely) blocked by nonstop discussions about CLI flags regarding ESM code.

I'm really tired of this package popping up in my notifications. Not because I don't care, or that I've abandoned it, but I just don't see how this package should continue living. It's clearly just a cash cow at this point for novice security "researchers" to get quick bounties on shady, slimy sites. I actually feel guilty receiving sponsorship money from it. That's how much I despise this package.

Sorry, needed to rant. But I'm really at wits end with the nonsense associated with the Javascript package god forgot.