You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Underscore.js 1.8.3, which is included in the built version of MkDocs Material documentation inside file site/assets/javascripts/lunr/wordcut.js, has a known high severity vulnerability (CVE-2021-23358).
Thanks for reporting. wordcut.js is provided by lunr-languages, a library that provides additional stemmers and stopword filters for lunr.js, the search we're currently using. Thus, this issue should be reported upstream, because we only consumewordcut.js from this library – we can't patch it ourselves. Could you please create an issue upstream?
As mentioned, we can't fix it, but I currently assess the risk as being tolerable, given that it only affects a small subset of languages, and runs in an already isolated context. Also note that we're working on a new search to replace luns.js and lunr-languages in the near future, tracked in #6307. Other than that, if you have any idea how we can mitigate the situation without starting to patch wordcut.js on our side or losing functionality, please share them with us.
As an additional countermeasure, I've looked at wordcut.js to learn how underscore.js is used, and albeit the entirety of underscore.js is bundled, with most of the code being dead code, it appears the only method used is _.clone:
The CVE specifically concerns _.template, which is not being used by wordcut.js in any instance, so we don't have an urgent problem on our side here. Furthermore, the maintainers of lunr-languages could remove the use of underscore.js quite easily by replacing _.clone with a simple ...spread, i.e., vanilla JavaScript code:
varacceptors=_.clone(Acceptors);// ... can be changed to:varacceptors={...Acceptors}
This would also reduce the payload by several dozen kilobytes.
Context
No response
Description
Underscore.js 1.8.3, which is included in the built version of MkDocs Material documentation inside file site/assets/javascripts/lunr/wordcut.js, has a known high severity vulnerability (CVE-2021-23358).
Update to [email protected] is required
Related links
Use Cases
This has affect on all users of the project.
Visuals
No response
Before submitting
The text was updated successfully, but these errors were encountered: