Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-24434: DoS affecting dicer (sub-dependency) #1254

Open
sewellstephens opened this issue Apr 14, 2024 Discussed in #1253 · 3 comments
Open

CVE-2022-24434: DoS affecting dicer (sub-dependency) #1254

sewellstephens opened this issue Apr 14, 2024 Discussed in #1253 · 3 comments
Labels
help wanted investigate

Comments

@sewellstephens
Copy link

Discussed in #1253

Originally posted by sewellstephens April 14, 2024
Hi, I'm not at all an expert in cybersecurity nor am I a security researcher, but Snyk security and NPM is warning of critical DDoS vulnerability attached to this package. According to NPM vuln scanner, it seems to be linked to busboy dependency in package.json.

Heres a screenshot:

dicer vuln
@UlisesGascon UlisesGascon changed the title Snyk security is warning of DDoS vulnerability on package. CVE: DoS affecting dicer (depenency) Apr 15, 2024
@UlisesGascon UlisesGascon changed the title CVE: DoS affecting dicer (depenency) CVE: DoS affecting dicer (dependency) Apr 15, 2024
@UlisesGascon
Copy link
Member

UlisesGascon commented Apr 15, 2024
edited
Loading

I was able to replicate this with this package.jon.

{
  "name": "multer-1254",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "multer": "^1.4.2"
  }
}

Snyk is alerting for SNYK-JS-DICER-2311764, but in the Multer page is not shown. I found that confusing at the beginning, but doing a further research I got a better understanding.

By checking the dependencies we can see that [email protected] depends on [email protected] (see). Multer depends on busboy@^0.2.11 (see)

 "node_modules/busboy": {
      "version": "0.2.14",
      "resolved": "https://registry.npmjs.org/busboy/-/busboy-0.2.14.tgz",
      "integrity": "sha512-InWFDomvlkEj+xWLBfU3AvnbVYqeTWmQopiW0tWWEy5yehYm2YkGEc59sUmw/4ty5Zj/b0WHGs1LgecuBSBGrg==",
      "dependencies": {
        "dicer": "0.2.5",
        "readable-stream": "1.1.x"
      },
      "engines": {
        "node": ">=0.8.0"
      }
    }

Currently there is no fix available for dicer (I was not able to find an open discussion too), so maybe we can upgrade busboy to v1.0.0 (see comparation details) as this version remove dicer and includes streamsearch but this will drop Node.js support to >=10.16.0 for multer.

Said that ... I am not very familiar with multer internals or busboy, so maybe this CVE is not affecting us due the way we are using the dependencies? 🤔

@UlisesGascon UlisesGascon changed the title CVE: DoS affecting dicer (dependency) CVE-2022-24434: DoS affecting dicer (dependency) Apr 15, 2024
@UlisesGascon UlisesGascon changed the title CVE-2022-24434: DoS affecting dicer (dependency) CVE-2022-24434: DoS affecting dicer (sub-dependency) Apr 15, 2024
@welchjl
Copy link

welchjl commented Apr 18, 2024

1.4.2 is deprecated. Update to 1.4.5-lts.1 as it uses busboy 1.0.0 which resolves the vulnerability 👍

@dsriseah dsriseah mentioned this issue Jun 5, 2024
Open
@Jblew
Copy link

Jblew commented Jul 15, 2024

This seems to be fixed in 1.4.5-lts.1. Perhaps you can close the issue as fixed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Jblew @UlisesGascon @sewellstephens @welchjl