CVE-2023-29827

[kraison1]

Ref nvd: https://nvd.nist.gov/vuln/detail/CVE-2023-29827

Dependency Path: react-scripts (5.0.1) -> workbox-build (6.6.0) -> @surma/rollup-plugin-off-main-thread (2.2.3) -> ejs(3.1.9)
Img nvd

Img black duck

[sworisbreathing]

@kraison1 this is an incredibly complex issue. Whether or not the CVE should be considered applicable depends ultimately on whether or not there are any code paths which pass untrusted user input into ejs.render().

Simply having ejs in your dependency graph does not automatically mean this CVE can be exploited in your application, but security tools which only look at your SBOM don't have this kind of context, so they err on the side of caution, and it's up to you to be able to rule it in or out (and also up to your organisation to have adequate processes for marking these findings as false positives).

The fact that ejs is a transitive dependency nested 4 levels deep from react-scripts (you've missed one in your dependency path... it's actually react-scripts -> workbox-webpack-config -> workbox-build -> rollup-plugin-off-main-thread -> ejs) means there are a lot of ways ejs.render() can be called in your application, all of which need to be checked.

• If your app is explicitly making its own calls to ejs.render() then you need to check your own code to ensure it's not calling that against untrusted user input.
• If your app is explicitly making its own calls to rollup using the omt plugin, then you need to check your own code to ensure it's not calling that against untrusted user input.
• If your app is explicitly making its own calls to workbox-build's bundle() method, then you need to check your own code to ensure it's not calling that against untrusted user input.
• If your app is explicitly making its own calls to workbox-webpack-plugin's GenerateSW.addAssets() method, then you need to check your own code to ensure it's not calling that against untrusted user input.

If your app is using any other dependencies which make any of the above calls, then you need to check the code paths there, to see if they are passing untrusted input.

Based on my reading of the code, react-scripts does not appear to have any direct references to GenerateSW in workbox-webpack-plugin, but it does import InjectManifest. I personally have no involvement with any of these libraries (nor am I really a JS/TS developer), and thus I have very little understanding of how these libraries work, especially with respect to how they call one another (or themselves) through the use of plugins. Someone with a better understanding of these libraries could probably comment on whether there are any direct or indirect code paths from workbox-webpack-plugin's InjectManifest to its GenerateSW (hint: you should probably raise it with that repo). If the answer is "no" then I would be confident in my own applications to say there are no code paths through react-scripts which would pass untrusted user input into ejs.render().

Unless, of course, I've missed something here.