github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/v2.14.17/argocd-test.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="15 known vulnerabilities found in 60 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:29:44 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">/argo-cd/argoproj/argo-cd/v2/go.mod (gomodules)</li> 496 <li class="paths">/argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)</li> 497 <li class="paths">/argo-cd/ui/yarn.lock (yarn)</li> 498 </ul> 499 </div> 500 501 <div class="meta-counts"> 502 <div class="meta-count"><span>15</span> <span>known vulnerabilities</span></div> 503 <div class="meta-count"><span>60 vulnerable dependency paths</span></div> 504 <div class="meta-count"><span>2092</span> <span>dependencies</span></div> 505 </div><!-- .meta-counts --> 506 </div><!-- .layout-container--short --> 507 </header><!-- .project__header --> 508 </div><!-- .layout-stacked__header --> 509 510 <div class="layout-container" style="padding-top: 35px;"> 511 <div class="cards--vuln filter--patch filter--ignore"> 512 <div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical"> 513 <h2 class="card__title">Predictable Value Range from Previous Values</h2> 514 <div class="card__section"> 515 516 <div class="card__labels"> 517 <div class="label label--critical"> 518 <span class="label__text">critical severity</span> 519 </div> 520 </div> 521 522 <hr/> 523 524 <ul class="card__meta"> 525 <li class="card__meta__item"> 526 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 527 </li> 528 <li class="card__meta__item"> 529 Package Manager: npm 530 </li> 531 <li class="card__meta__item"> 532 Vulnerable module: 533 534 form-data 535 </li> 536 537 <li class="card__meta__item">Introduced through: 538 539 540 argo-cd-ui@1.0.0, superagent@8.1.2 and others 541 </li> 542 </ul> 543 544 <hr/> 545 546 547 <h3 class="card__section__title">Detailed paths</h3> 548 549 <ul class="card__meta__paths"> 550 <li> 551 <span class="list-paths__item__introduced"><em>Introduced through</em>: 552 argo-cd-ui@1.0.0 553 <span class="list-paths__item__arrow">›</span> 554 superagent@8.1.2 555 <span class="list-paths__item__arrow">›</span> 556 form-data@4.0.0 557 558 </span> 559 560 </li> 561 </ul><!-- .list-paths --> 562 563 </div><!-- .card__section --> 564 565 <hr/> 566 <!-- Overview --> 567 <h2 id="overview">Overview</h2> 568 <p>Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the <code>boundary</code> value, which uses <code>Math.random()</code>. An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.</p> 569 <h2 id="remediation">Remediation</h2> 570 <p>Upgrade <code>form-data</code> to version 2.5.4, 3.0.4, 4.0.4 or higher.</p> 571 <h2 id="references">References</h2> 572 <ul> 573 <li><a href="https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0">GitHub Commit</a></li> 574 <li><a href="https://github.com/form-data/form-data/commit/b88316c94bb004323669cd3639dc8bb8262539eb">GitHub Commit</a></li> 575 <li><a href="https://github.com/form-data/form-data/commit/c6ced61d4fae8f617ee2fd692133ed87baa5d0fd">GitHub Commit</a></li> 576 <li><a href="https://github.com/benweissmann/CVE-2025-7783-poc">POC</a></li> 577 <li><a href="https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347">Vulnerable Code</a></li> 578 </ul> 579 580 <hr/> 581 582 <div class="cta card__cta"> 583 <p><a href="https://snyk.io/vuln/SNYK-JS-FORMDATA-10841150">More about this vulnerability</a></p> 584 </div> 585 586 </div><!-- .card --> 587 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 588 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 589 <div class="card__section"> 590 591 <div class="card__labels"> 592 <div class="label label--high"> 593 <span class="label__text">high severity</span> 594 </div> 595 </div> 596 597 <hr/> 598 599 <ul class="card__meta"> 600 <li class="card__meta__item"> 601 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 602 </li> 603 <li class="card__meta__item"> 604 Package Manager: golang 605 </li> 606 <li class="card__meta__item"> 607 Vulnerable module: 608 609 golang.org/x/oauth2/jws 610 </li> 611 612 <li class="card__meta__item">Introduced through: 613 614 615 github.com/argoproj/argo-cd/v2@0.0.0, golang.org/x/oauth2/google@0.24.0 and others 616 </li> 617 </ul> 618 619 <hr/> 620 621 622 <h3 class="card__section__title">Detailed paths</h3> 623 624 <ul class="card__meta__paths"> 625 <li> 626 <span class="list-paths__item__introduced"><em>Introduced through</em>: 627 github.com/argoproj/argo-cd/v2@0.0.0 628 <span class="list-paths__item__arrow">›</span> 629 golang.org/x/oauth2/google@0.24.0 630 <span class="list-paths__item__arrow">›</span> 631 golang.org/x/oauth2/jws@0.24.0 632 633 </span> 634 635 </li> 636 <li> 637 <span class="list-paths__item__introduced"><em>Introduced through</em>: 638 github.com/argoproj/argo-cd/v2@0.0.0 639 <span class="list-paths__item__arrow">›</span> 640 golang.org/x/oauth2/google@0.24.0 641 <span class="list-paths__item__arrow">›</span> 642 golang.org/x/oauth2/jwt@0.24.0 643 <span class="list-paths__item__arrow">›</span> 644 golang.org/x/oauth2/jws@0.24.0 645 646 </span> 647 648 </li> 649 <li> 650 <span class="list-paths__item__introduced"><em>Introduced through</em>: 651 github.com/argoproj/argo-cd/v2@0.0.0 652 <span class="list-paths__item__arrow">›</span> 653 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 654 <span class="list-paths__item__arrow">›</span> 655 google.golang.org/api/chat/v1@0.171.0 656 <span class="list-paths__item__arrow">›</span> 657 google.golang.org/api/transport/http@0.171.0 658 <span class="list-paths__item__arrow">›</span> 659 google.golang.org/api/option@0.171.0 660 <span class="list-paths__item__arrow">›</span> 661 google.golang.org/api/internal@0.171.0 662 <span class="list-paths__item__arrow">›</span> 663 golang.org/x/oauth2/google@0.24.0 664 <span class="list-paths__item__arrow">›</span> 665 golang.org/x/oauth2/jws@0.24.0 666 667 </span> 668 669 </li> 670 <li> 671 <span class="list-paths__item__introduced"><em>Introduced through</em>: 672 github.com/argoproj/argo-cd/v2@0.0.0 673 <span class="list-paths__item__arrow">›</span> 674 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 675 <span class="list-paths__item__arrow">›</span> 676 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 677 <span class="list-paths__item__arrow">›</span> 678 google.golang.org/api/chat/v1@0.171.0 679 <span class="list-paths__item__arrow">›</span> 680 google.golang.org/api/transport/http@0.171.0 681 <span class="list-paths__item__arrow">›</span> 682 google.golang.org/api/option@0.171.0 683 <span class="list-paths__item__arrow">›</span> 684 google.golang.org/api/internal@0.171.0 685 <span class="list-paths__item__arrow">›</span> 686 golang.org/x/oauth2/google@0.24.0 687 <span class="list-paths__item__arrow">›</span> 688 golang.org/x/oauth2/jws@0.24.0 689 690 </span> 691 692 </li> 693 <li> 694 <span class="list-paths__item__introduced"><em>Introduced through</em>: 695 github.com/argoproj/argo-cd/v2@0.0.0 696 <span class="list-paths__item__arrow">›</span> 697 github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd 698 <span class="list-paths__item__arrow">›</span> 699 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 700 <span class="list-paths__item__arrow">›</span> 701 google.golang.org/api/chat/v1@0.171.0 702 <span class="list-paths__item__arrow">›</span> 703 google.golang.org/api/transport/http@0.171.0 704 <span class="list-paths__item__arrow">›</span> 705 google.golang.org/api/option@0.171.0 706 <span class="list-paths__item__arrow">›</span> 707 google.golang.org/api/internal@0.171.0 708 <span class="list-paths__item__arrow">›</span> 709 golang.org/x/oauth2/google@0.24.0 710 <span class="list-paths__item__arrow">›</span> 711 golang.org/x/oauth2/jws@0.24.0 712 713 </span> 714 715 </li> 716 <li> 717 <span class="list-paths__item__introduced"><em>Introduced through</em>: 718 github.com/argoproj/argo-cd/v2@0.0.0 719 <span class="list-paths__item__arrow">›</span> 720 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 721 <span class="list-paths__item__arrow">›</span> 722 google.golang.org/api/chat/v1@0.171.0 723 <span class="list-paths__item__arrow">›</span> 724 google.golang.org/api/transport/http@0.171.0 725 <span class="list-paths__item__arrow">›</span> 726 google.golang.org/api/option@0.171.0 727 <span class="list-paths__item__arrow">›</span> 728 google.golang.org/api/internal@0.171.0 729 <span class="list-paths__item__arrow">›</span> 730 golang.org/x/oauth2/google@0.24.0 731 <span class="list-paths__item__arrow">›</span> 732 golang.org/x/oauth2/jwt@0.24.0 733 <span class="list-paths__item__arrow">›</span> 734 golang.org/x/oauth2/jws@0.24.0 735 736 </span> 737 738 </li> 739 <li> 740 <span class="list-paths__item__introduced"><em>Introduced through</em>: 741 github.com/argoproj/argo-cd/v2@0.0.0 742 <span class="list-paths__item__arrow">›</span> 743 github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd 744 <span class="list-paths__item__arrow">›</span> 745 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 746 <span class="list-paths__item__arrow">›</span> 747 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 748 <span class="list-paths__item__arrow">›</span> 749 google.golang.org/api/chat/v1@0.171.0 750 <span class="list-paths__item__arrow">›</span> 751 google.golang.org/api/transport/http@0.171.0 752 <span class="list-paths__item__arrow">›</span> 753 google.golang.org/api/option@0.171.0 754 <span class="list-paths__item__arrow">›</span> 755 google.golang.org/api/internal@0.171.0 756 <span class="list-paths__item__arrow">›</span> 757 golang.org/x/oauth2/google@0.24.0 758 <span class="list-paths__item__arrow">›</span> 759 golang.org/x/oauth2/jws@0.24.0 760 761 </span> 762 763 </li> 764 <li> 765 <span class="list-paths__item__introduced"><em>Introduced through</em>: 766 github.com/argoproj/argo-cd/v2@0.0.0 767 <span class="list-paths__item__arrow">›</span> 768 github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd 769 <span class="list-paths__item__arrow">›</span> 770 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 771 <span class="list-paths__item__arrow">›</span> 772 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 773 <span class="list-paths__item__arrow">›</span> 774 google.golang.org/api/chat/v1@0.171.0 775 <span class="list-paths__item__arrow">›</span> 776 google.golang.org/api/transport/http@0.171.0 777 <span class="list-paths__item__arrow">›</span> 778 google.golang.org/api/option@0.171.0 779 <span class="list-paths__item__arrow">›</span> 780 google.golang.org/api/internal@0.171.0 781 <span class="list-paths__item__arrow">›</span> 782 golang.org/x/oauth2/google@0.24.0 783 <span class="list-paths__item__arrow">›</span> 784 golang.org/x/oauth2/jws@0.24.0 785 786 </span> 787 788 </li> 789 <li> 790 <span class="list-paths__item__introduced"><em>Introduced through</em>: 791 github.com/argoproj/argo-cd/v2@0.0.0 792 <span class="list-paths__item__arrow">›</span> 793 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 794 <span class="list-paths__item__arrow">›</span> 795 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 796 <span class="list-paths__item__arrow">›</span> 797 google.golang.org/api/chat/v1@0.171.0 798 <span class="list-paths__item__arrow">›</span> 799 google.golang.org/api/transport/http@0.171.0 800 <span class="list-paths__item__arrow">›</span> 801 google.golang.org/api/option@0.171.0 802 <span class="list-paths__item__arrow">›</span> 803 google.golang.org/api/internal@0.171.0 804 <span class="list-paths__item__arrow">›</span> 805 golang.org/x/oauth2/google@0.24.0 806 <span class="list-paths__item__arrow">›</span> 807 golang.org/x/oauth2/jwt@0.24.0 808 <span class="list-paths__item__arrow">›</span> 809 golang.org/x/oauth2/jws@0.24.0 810 811 </span> 812 813 </li> 814 <li> 815 <span class="list-paths__item__introduced"><em>Introduced through</em>: 816 github.com/argoproj/argo-cd/v2@0.0.0 817 <span class="list-paths__item__arrow">›</span> 818 github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd 819 <span class="list-paths__item__arrow">›</span> 820 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 821 <span class="list-paths__item__arrow">›</span> 822 google.golang.org/api/chat/v1@0.171.0 823 <span class="list-paths__item__arrow">›</span> 824 google.golang.org/api/transport/http@0.171.0 825 <span class="list-paths__item__arrow">›</span> 826 google.golang.org/api/option@0.171.0 827 <span class="list-paths__item__arrow">›</span> 828 google.golang.org/api/internal@0.171.0 829 <span class="list-paths__item__arrow">›</span> 830 golang.org/x/oauth2/google@0.24.0 831 <span class="list-paths__item__arrow">›</span> 832 golang.org/x/oauth2/jwt@0.24.0 833 <span class="list-paths__item__arrow">›</span> 834 golang.org/x/oauth2/jws@0.24.0 835 836 </span> 837 838 </li> 839 <li> 840 <span class="list-paths__item__introduced"><em>Introduced through</em>: 841 github.com/argoproj/argo-cd/v2@0.0.0 842 <span class="list-paths__item__arrow">›</span> 843 github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd 844 <span class="list-paths__item__arrow">›</span> 845 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 846 <span class="list-paths__item__arrow">›</span> 847 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 848 <span class="list-paths__item__arrow">›</span> 849 google.golang.org/api/chat/v1@0.171.0 850 <span class="list-paths__item__arrow">›</span> 851 google.golang.org/api/transport/http@0.171.0 852 <span class="list-paths__item__arrow">›</span> 853 google.golang.org/api/option@0.171.0 854 <span class="list-paths__item__arrow">›</span> 855 google.golang.org/api/internal@0.171.0 856 <span class="list-paths__item__arrow">›</span> 857 golang.org/x/oauth2/google@0.24.0 858 <span class="list-paths__item__arrow">›</span> 859 golang.org/x/oauth2/jwt@0.24.0 860 <span class="list-paths__item__arrow">›</span> 861 golang.org/x/oauth2/jws@0.24.0 862 863 </span> 864 865 </li> 866 <li> 867 <span class="list-paths__item__introduced"><em>Introduced through</em>: 868 github.com/argoproj/argo-cd/v2@0.0.0 869 <span class="list-paths__item__arrow">›</span> 870 github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd 871 <span class="list-paths__item__arrow">›</span> 872 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 873 <span class="list-paths__item__arrow">›</span> 874 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 875 <span class="list-paths__item__arrow">›</span> 876 google.golang.org/api/chat/v1@0.171.0 877 <span class="list-paths__item__arrow">›</span> 878 google.golang.org/api/transport/http@0.171.0 879 <span class="list-paths__item__arrow">›</span> 880 google.golang.org/api/option@0.171.0 881 <span class="list-paths__item__arrow">›</span> 882 google.golang.org/api/internal@0.171.0 883 <span class="list-paths__item__arrow">›</span> 884 golang.org/x/oauth2/google@0.24.0 885 <span class="list-paths__item__arrow">›</span> 886 golang.org/x/oauth2/jwt@0.24.0 887 <span class="list-paths__item__arrow">›</span> 888 golang.org/x/oauth2/jws@0.24.0 889 890 </span> 891 892 </li> 893 </ul><!-- .list-paths --> 894 895 </div><!-- .card__section --> 896 897 <hr/> 898 <!-- Overview --> 899 <h2 id="overview">Overview</h2> 900 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.</p> 901 <h2 id="remediation">Remediation</h2> 902 <p>Upgrade <code>golang.org/x/oauth2/jws</code> to version 0.27.0 or higher.</p> 903 <h2 id="references">References</h2> 904 <ul> 905 <li><a href="https://github.com/golang/oauth2/commit/681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3">GitHub Commit</a></li> 906 <li><a href="https://github.com/lestrrat-go/jwx/commit/d0bb4610154d45b7dce7d706a8068ea72586d249">GitHub Commit</a></li> 907 <li><a href="https://github.com/golang/go/issues/71490">GitHub Issue</a></li> 908 <li><a href="https://github.com/lestrrat-go/jwx/pull/1308">GitHub PR</a></li> 909 <li><a href="https://pkg.go.dev/vuln/GO-2025-3488">Go Advisory</a></li> 910 </ul> 911 912 <hr/> 913 914 <div class="cta card__cta"> 915 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594">More about this vulnerability</a></p> 916 </div> 917 918 </div><!-- .card --> 919 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 920 <h2 class="card__title">LGPL-3.0 license</h2> 921 <div class="card__section"> 922 923 <div class="card__labels"> 924 <div class="label label--medium"> 925 <span class="label__text">medium severity</span> 926 </div> 927 </div> 928 929 <hr/> 930 931 <ul class="card__meta"> 932 <li class="card__meta__item"> 933 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 934 </li> 935 <li class="card__meta__item"> 936 Package Manager: golang 937 </li> 938 <li class="card__meta__item"> 939 Module: 940 941 gopkg.in/retry.v1 942 </li> 943 944 <li class="card__meta__item">Introduced through: 945 946 947 github.com/argoproj/argo-cd/v2@0.0.0, github.com/Azure/kubelogin/pkg/token@0.1.6 and others 948 </li> 949 </ul> 950 951 <hr/> 952 953 954 <h3 class="card__section__title">Detailed paths</h3> 955 956 <ul class="card__meta__paths"> 957 <li> 958 <span class="list-paths__item__introduced"><em>Introduced through</em>: 959 github.com/argoproj/argo-cd/v2@0.0.0 960 <span class="list-paths__item__arrow">›</span> 961 github.com/Azure/kubelogin/pkg/token@0.1.6 962 <span class="list-paths__item__arrow">›</span> 963 github.com/Azure/kubelogin/pkg/internal/token@0.1.6 964 <span class="list-paths__item__arrow">›</span> 965 gopkg.in/retry.v1@1.0.3 966 967 </span> 968 969 </li> 970 </ul><!-- .list-paths --> 971 972 </div><!-- .card__section --> 973 974 <hr/> 975 <!-- Overview --> 976 <p>LGPL-3.0 license</p> 977 978 <hr/> 979 980 <div class="cta card__cta"> 981 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p> 982 </div> 983 984 </div><!-- .card --> 985 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 986 <h2 class="card__title">MPL-2.0 license</h2> 987 <div class="card__section"> 988 989 <div class="card__labels"> 990 <div class="label label--medium"> 991 <span class="label__text">medium severity</span> 992 </div> 993 </div> 994 995 <hr/> 996 997 <ul class="card__meta"> 998 <li class="card__meta__item"> 999 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 1000 </li> 1001 <li class="card__meta__item"> 1002 Package Manager: golang 1003 </li> 1004 <li class="card__meta__item"> 1005 Module: 1006 1007 github.com/r3labs/diff 1008 </li> 1009 1010 <li class="card__meta__item">Introduced through: 1011 1012 github.com/argoproj/argo-cd/v2@0.0.0 and github.com/r3labs/diff@1.1.0 1013 1014 </li> 1015 </ul> 1016 1017 <hr/> 1018 1019 1020 <h3 class="card__section__title">Detailed paths</h3> 1021 1022 <ul class="card__meta__paths"> 1023 <li> 1024 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1025 github.com/argoproj/argo-cd/v2@0.0.0 1026 <span class="list-paths__item__arrow">›</span> 1027 github.com/r3labs/diff@1.1.0 1028 1029 </span> 1030 1031 </li> 1032 </ul><!-- .list-paths --> 1033 1034 </div><!-- .card__section --> 1035 1036 <hr/> 1037 <!-- Overview --> 1038 <p>MPL-2.0 license</p> 1039 1040 <hr/> 1041 1042 <div class="cta card__cta"> 1043 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:MPL-2.0">More about this vulnerability</a></p> 1044 </div> 1045 1046 </div><!-- .card --> 1047 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1048 <h2 class="card__title">MPL-2.0 license</h2> 1049 <div class="card__section"> 1050 1051 <div class="card__labels"> 1052 <div class="label label--medium"> 1053 <span class="label__text">medium severity</span> 1054 </div> 1055 </div> 1056 1057 <hr/> 1058 1059 <ul class="card__meta"> 1060 <li class="card__meta__item"> 1061 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 1062 </li> 1063 <li class="card__meta__item"> 1064 Package Manager: golang 1065 </li> 1066 <li class="card__meta__item"> 1067 Module: 1068 1069 github.com/hashicorp/go-version 1070 </li> 1071 1072 <li class="card__meta__item">Introduced through: 1073 1074 1075 github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others 1076 </li> 1077 </ul> 1078 1079 <hr/> 1080 1081 1082 <h3 class="card__section__title">Detailed paths</h3> 1083 1084 <ul class="card__meta__paths"> 1085 <li> 1086 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1087 github.com/argoproj/argo-cd/v2@0.0.0 1088 <span class="list-paths__item__arrow">›</span> 1089 code.gitea.io/sdk/gitea@0.19.0 1090 <span class="list-paths__item__arrow">›</span> 1091 github.com/hashicorp/go-version@1.6.0 1092 1093 </span> 1094 1095 </li> 1096 </ul><!-- .list-paths --> 1097 1098 </div><!-- .card__section --> 1099 1100 <hr/> 1101 <!-- Overview --> 1102 <p>MPL-2.0 license</p> 1103 1104 <hr/> 1105 1106 <div class="cta card__cta"> 1107 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 1108 </div> 1109 1110 </div><!-- .card --> 1111 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1112 <h2 class="card__title">MPL-2.0 license</h2> 1113 <div class="card__section"> 1114 1115 <div class="card__labels"> 1116 <div class="label label--medium"> 1117 <span class="label__text">medium severity</span> 1118 </div> 1119 </div> 1120 1121 <hr/> 1122 1123 <ul class="card__meta"> 1124 <li class="card__meta__item"> 1125 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 1126 </li> 1127 <li class="card__meta__item"> 1128 Package Manager: golang 1129 </li> 1130 <li class="card__meta__item"> 1131 Module: 1132 1133 github.com/hashicorp/go-retryablehttp 1134 </li> 1135 1136 <li class="card__meta__item">Introduced through: 1137 1138 github.com/argoproj/argo-cd/v2@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.7 1139 1140 </li> 1141 </ul> 1142 1143 <hr/> 1144 1145 1146 <h3 class="card__section__title">Detailed paths</h3> 1147 1148 <ul class="card__meta__paths"> 1149 <li> 1150 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1151 github.com/argoproj/argo-cd/v2@0.0.0 1152 <span class="list-paths__item__arrow">›</span> 1153 github.com/hashicorp/go-retryablehttp@0.7.7 1154 1155 </span> 1156 1157 </li> 1158 <li> 1159 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1160 github.com/argoproj/argo-cd/v2@0.0.0 1161 <span class="list-paths__item__arrow">›</span> 1162 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1163 <span class="list-paths__item__arrow">›</span> 1164 github.com/hashicorp/go-retryablehttp@0.7.7 1165 1166 </span> 1167 1168 </li> 1169 <li> 1170 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1171 github.com/argoproj/argo-cd/v2@0.0.0 1172 <span class="list-paths__item__arrow">›</span> 1173 github.com/xanzy/go-gitlab@0.114.0 1174 <span class="list-paths__item__arrow">›</span> 1175 github.com/hashicorp/go-retryablehttp@0.7.7 1176 1177 </span> 1178 1179 </li> 1180 <li> 1181 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1182 github.com/argoproj/argo-cd/v2@0.0.0 1183 <span class="list-paths__item__arrow">›</span> 1184 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1185 <span class="list-paths__item__arrow">›</span> 1186 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1187 <span class="list-paths__item__arrow">›</span> 1188 github.com/hashicorp/go-retryablehttp@0.7.7 1189 1190 </span> 1191 1192 </li> 1193 <li> 1194 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1195 github.com/argoproj/argo-cd/v2@0.0.0 1196 <span class="list-paths__item__arrow">›</span> 1197 github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd 1198 <span class="list-paths__item__arrow">›</span> 1199 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1200 <span class="list-paths__item__arrow">›</span> 1201 github.com/hashicorp/go-retryablehttp@0.7.7 1202 1203 </span> 1204 1205 </li> 1206 <li> 1207 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1208 github.com/argoproj/argo-cd/v2@0.0.0 1209 <span class="list-paths__item__arrow">›</span> 1210 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1211 <span class="list-paths__item__arrow">›</span> 1212 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1213 <span class="list-paths__item__arrow">›</span> 1214 github.com/hashicorp/go-retryablehttp@0.7.7 1215 1216 </span> 1217 1218 </li> 1219 <li> 1220 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1221 github.com/argoproj/argo-cd/v2@0.0.0 1222 <span class="list-paths__item__arrow">›</span> 1223 github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd 1224 <span class="list-paths__item__arrow">›</span> 1225 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1226 <span class="list-paths__item__arrow">›</span> 1227 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1228 <span class="list-paths__item__arrow">›</span> 1229 github.com/hashicorp/go-retryablehttp@0.7.7 1230 1231 </span> 1232 1233 </li> 1234 <li> 1235 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1236 github.com/argoproj/argo-cd/v2@0.0.0 1237 <span class="list-paths__item__arrow">›</span> 1238 github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd 1239 <span class="list-paths__item__arrow">›</span> 1240 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1241 <span class="list-paths__item__arrow">›</span> 1242 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1243 <span class="list-paths__item__arrow">›</span> 1244 github.com/hashicorp/go-retryablehttp@0.7.7 1245 1246 </span> 1247 1248 </li> 1249 <li> 1250 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1251 github.com/argoproj/argo-cd/v2@0.0.0 1252 <span class="list-paths__item__arrow">›</span> 1253 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1254 <span class="list-paths__item__arrow">›</span> 1255 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1256 <span class="list-paths__item__arrow">›</span> 1257 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1258 <span class="list-paths__item__arrow">›</span> 1259 github.com/hashicorp/go-retryablehttp@0.7.7 1260 1261 </span> 1262 1263 </li> 1264 <li> 1265 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1266 github.com/argoproj/argo-cd/v2@0.0.0 1267 <span class="list-paths__item__arrow">›</span> 1268 github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd 1269 <span class="list-paths__item__arrow">›</span> 1270 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1271 <span class="list-paths__item__arrow">›</span> 1272 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1273 <span class="list-paths__item__arrow">›</span> 1274 github.com/hashicorp/go-retryablehttp@0.7.7 1275 1276 </span> 1277 1278 </li> 1279 <li> 1280 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1281 github.com/argoproj/argo-cd/v2@0.0.0 1282 <span class="list-paths__item__arrow">›</span> 1283 github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd 1284 <span class="list-paths__item__arrow">›</span> 1285 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1286 <span class="list-paths__item__arrow">›</span> 1287 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1288 <span class="list-paths__item__arrow">›</span> 1289 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1290 <span class="list-paths__item__arrow">›</span> 1291 github.com/hashicorp/go-retryablehttp@0.7.7 1292 1293 </span> 1294 1295 </li> 1296 <li> 1297 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1298 github.com/argoproj/argo-cd/v2@0.0.0 1299 <span class="list-paths__item__arrow">›</span> 1300 github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd 1301 <span class="list-paths__item__arrow">›</span> 1302 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1303 <span class="list-paths__item__arrow">›</span> 1304 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1305 <span class="list-paths__item__arrow">›</span> 1306 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1307 <span class="list-paths__item__arrow">›</span> 1308 github.com/hashicorp/go-retryablehttp@0.7.7 1309 1310 </span> 1311 1312 </li> 1313 </ul><!-- .list-paths --> 1314 1315 </div><!-- .card__section --> 1316 1317 <hr/> 1318 <!-- Overview --> 1319 <p>MPL-2.0 license</p> 1320 1321 <hr/> 1322 1323 <div class="cta card__cta"> 1324 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 1325 </div> 1326 1327 </div><!-- .card --> 1328 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1329 <h2 class="card__title">MPL-2.0 license</h2> 1330 <div class="card__section"> 1331 1332 <div class="card__labels"> 1333 <div class="label label--medium"> 1334 <span class="label__text">medium severity</span> 1335 </div> 1336 </div> 1337 1338 <hr/> 1339 1340 <ul class="card__meta"> 1341 <li class="card__meta__item"> 1342 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 1343 </li> 1344 <li class="card__meta__item"> 1345 Package Manager: golang 1346 </li> 1347 <li class="card__meta__item"> 1348 Module: 1349 1350 github.com/hashicorp/go-cleanhttp 1351 </li> 1352 1353 <li class="card__meta__item">Introduced through: 1354 1355 1356 github.com/argoproj/argo-cd/v2@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.7 and others 1357 </li> 1358 </ul> 1359 1360 <hr/> 1361 1362 1363 <h3 class="card__section__title">Detailed paths</h3> 1364 1365 <ul class="card__meta__paths"> 1366 <li> 1367 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1368 github.com/argoproj/argo-cd/v2@0.0.0 1369 <span class="list-paths__item__arrow">›</span> 1370 github.com/hashicorp/go-retryablehttp@0.7.7 1371 <span class="list-paths__item__arrow">›</span> 1372 github.com/hashicorp/go-cleanhttp@0.5.2 1373 1374 </span> 1375 1376 </li> 1377 <li> 1378 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1379 github.com/argoproj/argo-cd/v2@0.0.0 1380 <span class="list-paths__item__arrow">›</span> 1381 github.com/xanzy/go-gitlab@0.114.0 1382 <span class="list-paths__item__arrow">›</span> 1383 github.com/hashicorp/go-cleanhttp@0.5.2 1384 1385 </span> 1386 1387 </li> 1388 <li> 1389 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1390 github.com/argoproj/argo-cd/v2@0.0.0 1391 <span class="list-paths__item__arrow">›</span> 1392 github.com/xanzy/go-gitlab@0.114.0 1393 <span class="list-paths__item__arrow">›</span> 1394 github.com/hashicorp/go-retryablehttp@0.7.7 1395 <span class="list-paths__item__arrow">›</span> 1396 github.com/hashicorp/go-cleanhttp@0.5.2 1397 1398 </span> 1399 1400 </li> 1401 <li> 1402 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1403 github.com/argoproj/argo-cd/v2@0.0.0 1404 <span class="list-paths__item__arrow">›</span> 1405 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1406 <span class="list-paths__item__arrow">›</span> 1407 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1408 <span class="list-paths__item__arrow">›</span> 1409 github.com/hashicorp/go-retryablehttp@0.7.7 1410 <span class="list-paths__item__arrow">›</span> 1411 github.com/hashicorp/go-cleanhttp@0.5.2 1412 1413 </span> 1414 1415 </li> 1416 <li> 1417 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1418 github.com/argoproj/argo-cd/v2@0.0.0 1419 <span class="list-paths__item__arrow">›</span> 1420 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1421 <span class="list-paths__item__arrow">›</span> 1422 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1423 <span class="list-paths__item__arrow">›</span> 1424 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1425 <span class="list-paths__item__arrow">›</span> 1426 github.com/hashicorp/go-retryablehttp@0.7.7 1427 <span class="list-paths__item__arrow">›</span> 1428 github.com/hashicorp/go-cleanhttp@0.5.2 1429 1430 </span> 1431 1432 </li> 1433 <li> 1434 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1435 github.com/argoproj/argo-cd/v2@0.0.0 1436 <span class="list-paths__item__arrow">›</span> 1437 github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd 1438 <span class="list-paths__item__arrow">›</span> 1439 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1440 <span class="list-paths__item__arrow">›</span> 1441 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1442 <span class="list-paths__item__arrow">›</span> 1443 github.com/hashicorp/go-retryablehttp@0.7.7 1444 <span class="list-paths__item__arrow">›</span> 1445 github.com/hashicorp/go-cleanhttp@0.5.2 1446 1447 </span> 1448 1449 </li> 1450 <li> 1451 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1452 github.com/argoproj/argo-cd/v2@0.0.0 1453 <span class="list-paths__item__arrow">›</span> 1454 github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd 1455 <span class="list-paths__item__arrow">›</span> 1456 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1457 <span class="list-paths__item__arrow">›</span> 1458 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1459 <span class="list-paths__item__arrow">›</span> 1460 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1461 <span class="list-paths__item__arrow">›</span> 1462 github.com/hashicorp/go-retryablehttp@0.7.7 1463 <span class="list-paths__item__arrow">›</span> 1464 github.com/hashicorp/go-cleanhttp@0.5.2 1465 1466 </span> 1467 1468 </li> 1469 <li> 1470 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1471 github.com/argoproj/argo-cd/v2@0.0.0 1472 <span class="list-paths__item__arrow">›</span> 1473 github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd 1474 <span class="list-paths__item__arrow">›</span> 1475 github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd 1476 <span class="list-paths__item__arrow">›</span> 1477 github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd 1478 <span class="list-paths__item__arrow">›</span> 1479 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 1480 <span class="list-paths__item__arrow">›</span> 1481 github.com/hashicorp/go-retryablehttp@0.7.7 1482 <span class="list-paths__item__arrow">›</span> 1483 github.com/hashicorp/go-cleanhttp@0.5.2 1484 1485 </span> 1486 1487 </li> 1488 </ul><!-- .list-paths --> 1489 1490 </div><!-- .card__section --> 1491 1492 <hr/> 1493 <!-- Overview --> 1494 <p>MPL-2.0 license</p> 1495 1496 <hr/> 1497 1498 <div class="cta card__cta"> 1499 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1500 </div> 1501 1502 </div><!-- .card --> 1503 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1504 <h2 class="card__title">MPL-2.0 license</h2> 1505 <div class="card__section"> 1506 1507 <div class="card__labels"> 1508 <div class="label label--medium"> 1509 <span class="label__text">medium severity</span> 1510 </div> 1511 </div> 1512 1513 <hr/> 1514 1515 <ul class="card__meta"> 1516 <li class="card__meta__item"> 1517 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 1518 </li> 1519 <li class="card__meta__item"> 1520 Package Manager: golang 1521 </li> 1522 <li class="card__meta__item"> 1523 Module: 1524 1525 github.com/gosimple/slug 1526 </li> 1527 1528 <li class="card__meta__item">Introduced through: 1529 1530 github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0 1531 1532 </li> 1533 </ul> 1534 1535 <hr/> 1536 1537 1538 <h3 class="card__section__title">Detailed paths</h3> 1539 1540 <ul class="card__meta__paths"> 1541 <li> 1542 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1543 github.com/argoproj/argo-cd/v2@0.0.0 1544 <span class="list-paths__item__arrow">›</span> 1545 github.com/gosimple/slug@1.14.0 1546 1547 </span> 1548 1549 </li> 1550 </ul><!-- .list-paths --> 1551 1552 </div><!-- .card__section --> 1553 1554 <hr/> 1555 <!-- Overview --> 1556 <p>MPL-2.0 license</p> 1557 1558 <hr/> 1559 1560 <div class="cta card__cta"> 1561 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1562 </div> 1563 1564 </div><!-- .card --> 1565 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1566 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 1567 <div class="card__section"> 1568 1569 <div class="card__labels"> 1570 <div class="label label--medium"> 1571 <span class="label__text">medium severity</span> 1572 </div> 1573 </div> 1574 1575 <hr/> 1576 1577 <ul class="card__meta"> 1578 <li class="card__meta__item"> 1579 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 1580 </li> 1581 <li class="card__meta__item"> 1582 Package Manager: golang 1583 </li> 1584 <li class="card__meta__item"> 1585 Vulnerable module: 1586 1587 github.com/go-jose/go-jose/v4 1588 </li> 1589 1590 <li class="card__meta__item">Introduced through: 1591 1592 1593 github.com/argoproj/argo-cd/v2@0.0.0, github.com/coreos/go-oidc/v3/oidc@3.11.0 and others 1594 </li> 1595 </ul> 1596 1597 <hr/> 1598 1599 1600 <h3 class="card__section__title">Detailed paths</h3> 1601 1602 <ul class="card__meta__paths"> 1603 <li> 1604 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1605 github.com/argoproj/argo-cd/v2@0.0.0 1606 <span class="list-paths__item__arrow">›</span> 1607 github.com/coreos/go-oidc/v3/oidc@3.11.0 1608 <span class="list-paths__item__arrow">›</span> 1609 github.com/go-jose/go-jose/v4@4.0.2 1610 1611 </span> 1612 1613 </li> 1614 </ul><!-- .list-paths --> 1615 1616 </div><!-- .card__section --> 1617 1618 <hr/> 1619 <!-- Overview --> 1620 <h2 id="overview">Overview</h2> 1621 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p> 1622 <h2 id="workaround">Workaround</h2> 1623 <p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p> 1624 <h2 id="remediation">Remediation</h2> 1625 <p>Upgrade <code>github.com/go-jose/go-jose/v4</code> to version 4.0.5 or higher.</p> 1626 <h2 id="references">References</h2> 1627 <ul> 1628 <li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li> 1629 <li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li> 1630 </ul> 1631 1632 <hr/> 1633 1634 <div class="cta card__cta"> 1635 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-8745975">More about this vulnerability</a></p> 1636 </div> 1637 1638 </div><!-- .card --> 1639 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1640 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 1641 <div class="card__section"> 1642 1643 <div class="card__labels"> 1644 <div class="label label--medium"> 1645 <span class="label__text">medium severity</span> 1646 </div> 1647 </div> 1648 1649 <hr/> 1650 1651 <ul class="card__meta"> 1652 <li class="card__meta__item"> 1653 Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod 1654 </li> 1655 <li class="card__meta__item"> 1656 Package Manager: golang 1657 </li> 1658 <li class="card__meta__item"> 1659 Vulnerable module: 1660 1661 github.com/go-jose/go-jose/v3 1662 </li> 1663 1664 <li class="card__meta__item">Introduced through: 1665 1666 github.com/argoproj/argo-cd/v2@0.0.0 and github.com/go-jose/go-jose/v3@3.0.3 1667 1668 </li> 1669 </ul> 1670 1671 <hr/> 1672 1673 1674 <h3 class="card__section__title">Detailed paths</h3> 1675 1676 <ul class="card__meta__paths"> 1677 <li> 1678 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1679 github.com/argoproj/argo-cd/v2@0.0.0 1680 <span class="list-paths__item__arrow">›</span> 1681 github.com/go-jose/go-jose/v3@3.0.3 1682 1683 </span> 1684 1685 </li> 1686 </ul><!-- .list-paths --> 1687 1688 </div><!-- .card__section --> 1689 1690 <hr/> 1691 <!-- Overview --> 1692 <h2 id="overview">Overview</h2> 1693 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p> 1694 <h2 id="workaround">Workaround</h2> 1695 <p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p> 1696 <h2 id="remediation">Remediation</h2> 1697 <p>Upgrade <code>github.com/go-jose/go-jose/v3</code> to version 3.0.4 or higher.</p> 1698 <h2 id="references">References</h2> 1699 <ul> 1700 <li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li> 1701 <li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li> 1702 </ul> 1703 1704 <hr/> 1705 1706 <div class="cta card__cta"> 1707 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-8754524">More about this vulnerability</a></p> 1708 </div> 1709 1710 </div><!-- .card --> 1711 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1712 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 1713 <div class="card__section"> 1714 1715 <div class="card__labels"> 1716 <div class="label label--medium"> 1717 <span class="label__text">medium severity</span> 1718 </div> 1719 </div> 1720 1721 <hr/> 1722 1723 <ul class="card__meta"> 1724 <li class="card__meta__item"> 1725 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1726 </li> 1727 <li class="card__meta__item"> 1728 Package Manager: npm 1729 </li> 1730 <li class="card__meta__item"> 1731 Vulnerable module: 1732 1733 foundation-sites 1734 </li> 1735 1736 <li class="card__meta__item">Introduced through: 1737 1738 argo-cd-ui@1.0.0 and foundation-sites@6.8.1 1739 1740 </li> 1741 </ul> 1742 1743 <hr/> 1744 1745 1746 <h3 class="card__section__title">Detailed paths</h3> 1747 1748 <ul class="card__meta__paths"> 1749 <li> 1750 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1751 argo-cd-ui@1.0.0 1752 <span class="list-paths__item__arrow">›</span> 1753 foundation-sites@6.8.1 1754 1755 </span> 1756 1757 </li> 1758 <li> 1759 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1760 argo-cd-ui@1.0.0 1761 <span class="list-paths__item__arrow">›</span> 1762 argo-ui@1.0.0 1763 <span class="list-paths__item__arrow">›</span> 1764 foundation-sites@6.8.1 1765 1766 </span> 1767 1768 </li> 1769 </ul><!-- .list-paths --> 1770 1771 </div><!-- .card__section --> 1772 1773 <hr/> 1774 <!-- Overview --> 1775 <h2 id="overview">Overview</h2> 1776 <p><a href="https://github.com/zurb/foundation-sites">foundation-sites</a> is a responsive front-end framework</p> 1777 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.</p> 1778 <h2 id="poc">PoC</h2> 1779 <pre><code>https://www.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1780 </code></pre> 1781 <h2 id="details">Details</h2> 1782 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 1783 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 1784 <p>Let’s take the following regular expression as an example:</p> 1785 <pre><code class="language-js">regex = /A(B|C+)+D/ 1786 </code></pre> 1787 <p>This regular expression accomplishes the following:</p> 1788 <ul> 1789 <li><code>A</code> The string must start with the letter 'A'</li> 1790 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 1791 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 1792 </ul> 1793 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 1794 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 1795 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 1796 0.04s user 0.01s system 95% cpu 0.052 total 1797 1798 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 1799 1.79s user 0.02s system 99% cpu 1.812 total 1800 </code></pre> 1801 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 1802 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 1803 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 1804 <ol> 1805 <li>CCC</li> 1806 <li>CC+C</li> 1807 <li>C+CC</li> 1808 <li>C+C+C.</li> 1809 </ol> 1810 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 1811 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 1812 <table> 1813 <thead> 1814 <tr> 1815 <th>String</th> 1816 <th align="right">Number of C's</th> 1817 <th align="right">Number of steps</th> 1818 </tr> 1819 </thead> 1820 <tbody><tr> 1821 <td>ACCCX</td> 1822 <td align="right">3</td> 1823 <td align="right">38</td> 1824 </tr> 1825 <tr> 1826 <td>ACCCCX</td> 1827 <td align="right">4</td> 1828 <td align="right">71</td> 1829 </tr> 1830 <tr> 1831 <td>ACCCCCX</td> 1832 <td align="right">5</td> 1833 <td align="right">136</td> 1834 </tr> 1835 <tr> 1836 <td>ACCCCCCCCCCCCCCX</td> 1837 <td align="right">14</td> 1838 <td align="right">65,553</td> 1839 </tr> 1840 </tbody></table> 1841 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 1842 <h2 id="remediation">Remediation</h2> 1843 <p>There is no fixed version for <code>foundation-sites</code>.</p> 1844 <h2 id="references">References</h2> 1845 <ul> 1846 <li><a href="https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites">GitHub Advisory</a></li> 1847 <li><a href="https://github.com/foundation/foundation-sites/issues/12180">GitHub Issue</a></li> 1848 <li><a href="https://github.com/foundation/foundation-sites/blob/develop/js/foundation.abide.js#L864">Vulnerable Code</a></li> 1849 </ul> 1850 1851 <hr/> 1852 1853 <div class="cta card__cta"> 1854 <p><a href="https://snyk.io/vuln/SNYK-JS-FOUNDATIONSITES-8310364">More about this vulnerability</a></p> 1855 </div> 1856 1857 </div><!-- .card --> 1858 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1859 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 1860 <div class="card__section"> 1861 1862 <div class="card__labels"> 1863 <div class="label label--medium"> 1864 <span class="label__text">medium severity</span> 1865 </div> 1866 </div> 1867 1868 <hr/> 1869 1870 <ul class="card__meta"> 1871 <li class="card__meta__item"> 1872 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1873 </li> 1874 <li class="card__meta__item"> 1875 Package Manager: npm 1876 </li> 1877 <li class="card__meta__item"> 1878 Vulnerable module: 1879 1880 @babel/runtime 1881 </li> 1882 1883 <li class="card__meta__item">Introduced through: 1884 1885 1886 argo-cd-ui@1.0.0, history@4.10.1 and others 1887 </li> 1888 </ul> 1889 1890 <hr/> 1891 1892 1893 <h3 class="card__section__title">Detailed paths</h3> 1894 1895 <ul class="card__meta__paths"> 1896 <li> 1897 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1898 argo-cd-ui@1.0.0 1899 <span class="list-paths__item__arrow">›</span> 1900 history@4.10.1 1901 <span class="list-paths__item__arrow">›</span> 1902 @babel/runtime@7.14.6 1903 1904 </span> 1905 1906 </li> 1907 <li> 1908 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1909 argo-cd-ui@1.0.0 1910 <span class="list-paths__item__arrow">›</span> 1911 argo-ui@1.0.0 1912 <span class="list-paths__item__arrow">›</span> 1913 history@4.10.1 1914 <span class="list-paths__item__arrow">›</span> 1915 @babel/runtime@7.14.6 1916 1917 </span> 1918 1919 </li> 1920 <li> 1921 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1922 argo-cd-ui@1.0.0 1923 <span class="list-paths__item__arrow">›</span> 1924 react-router@4.3.1 1925 <span class="list-paths__item__arrow">›</span> 1926 history@4.10.1 1927 <span class="list-paths__item__arrow">›</span> 1928 @babel/runtime@7.14.6 1929 1930 </span> 1931 1932 </li> 1933 <li> 1934 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1935 argo-cd-ui@1.0.0 1936 <span class="list-paths__item__arrow">›</span> 1937 react-router-dom@4.3.1 1938 <span class="list-paths__item__arrow">›</span> 1939 history@4.10.1 1940 <span class="list-paths__item__arrow">›</span> 1941 @babel/runtime@7.14.6 1942 1943 </span> 1944 1945 </li> 1946 <li> 1947 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1948 argo-cd-ui@1.0.0 1949 <span class="list-paths__item__arrow">›</span> 1950 react-form@2.16.3 1951 <span class="list-paths__item__arrow">›</span> 1952 react-redux@5.1.2 1953 <span class="list-paths__item__arrow">›</span> 1954 @babel/runtime@7.14.6 1955 1956 </span> 1957 1958 </li> 1959 <li> 1960 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1961 argo-cd-ui@1.0.0 1962 <span class="list-paths__item__arrow">›</span> 1963 react-form@2.16.3 1964 <span class="list-paths__item__arrow">›</span> 1965 react-redux@5.1.2 1966 <span class="list-paths__item__arrow">›</span> 1967 @babel/runtime@7.14.6 1968 1969 </span> 1970 1971 </li> 1972 <li> 1973 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1974 argo-cd-ui@1.0.0 1975 <span class="list-paths__item__arrow">›</span> 1976 react-router-dom@4.3.1 1977 <span class="list-paths__item__arrow">›</span> 1978 react-router@4.3.1 1979 <span class="list-paths__item__arrow">›</span> 1980 history@4.10.1 1981 <span class="list-paths__item__arrow">›</span> 1982 @babel/runtime@7.14.6 1983 1984 </span> 1985 1986 </li> 1987 <li> 1988 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1989 argo-cd-ui@1.0.0 1990 <span class="list-paths__item__arrow">›</span> 1991 argo-ui@1.0.0 1992 <span class="list-paths__item__arrow">›</span> 1993 react-router-dom@4.3.1 1994 <span class="list-paths__item__arrow">›</span> 1995 history@4.10.1 1996 <span class="list-paths__item__arrow">›</span> 1997 @babel/runtime@7.14.6 1998 1999 </span> 2000 2001 </li> 2002 <li> 2003 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2004 argo-cd-ui@1.0.0 2005 <span class="list-paths__item__arrow">›</span> 2006 argo-ui@1.0.0 2007 <span class="list-paths__item__arrow">›</span> 2008 react-form@2.16.3 2009 <span class="list-paths__item__arrow">›</span> 2010 react-redux@5.1.2 2011 <span class="list-paths__item__arrow">›</span> 2012 @babel/runtime@7.14.6 2013 2014 </span> 2015 2016 </li> 2017 <li> 2018 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2019 argo-cd-ui@1.0.0 2020 <span class="list-paths__item__arrow">›</span> 2021 argo-ui@1.0.0 2022 <span class="list-paths__item__arrow">›</span> 2023 react-form@2.16.3 2024 <span class="list-paths__item__arrow">›</span> 2025 react-redux@5.1.2 2026 <span class="list-paths__item__arrow">›</span> 2027 @babel/runtime@7.14.6 2028 2029 </span> 2030 2031 </li> 2032 <li> 2033 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2034 argo-cd-ui@1.0.0 2035 <span class="list-paths__item__arrow">›</span> 2036 argo-ui@1.0.0 2037 <span class="list-paths__item__arrow">›</span> 2038 react-router-dom@4.3.1 2039 <span class="list-paths__item__arrow">›</span> 2040 react-router@4.3.1 2041 <span class="list-paths__item__arrow">›</span> 2042 history@4.10.1 2043 <span class="list-paths__item__arrow">›</span> 2044 @babel/runtime@7.14.6 2045 2046 </span> 2047 2048 </li> 2049 <li> 2050 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2051 argo-cd-ui@1.0.0 2052 <span class="list-paths__item__arrow">›</span> 2053 date-fns@2.30.0 2054 <span class="list-paths__item__arrow">›</span> 2055 @babel/runtime@7.21.5 2056 2057 </span> 2058 2059 </li> 2060 <li> 2061 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2062 argo-cd-ui@1.0.0 2063 <span class="list-paths__item__arrow">›</span> 2064 react-virtualized@9.22.3 2065 <span class="list-paths__item__arrow">›</span> 2066 @babel/runtime@7.20.13 2067 2068 </span> 2069 2070 </li> 2071 <li> 2072 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2073 argo-cd-ui@1.0.0 2074 <span class="list-paths__item__arrow">›</span> 2075 react-virtualized@9.22.3 2076 <span class="list-paths__item__arrow">›</span> 2077 dom-helpers@5.2.1 2078 <span class="list-paths__item__arrow">›</span> 2079 @babel/runtime@7.20.13 2080 2081 </span> 2082 2083 </li> 2084 <li> 2085 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2086 argo-cd-ui@1.0.0 2087 <span class="list-paths__item__arrow">›</span> 2088 redoc@2.4.0 2089 <span class="list-paths__item__arrow">›</span> 2090 polished@4.3.1 2091 <span class="list-paths__item__arrow">›</span> 2092 @babel/runtime@7.26.9 2093 2094 </span> 2095 2096 </li> 2097 </ul><!-- .list-paths --> 2098 2099 </div><!-- .card__section --> 2100 2101 <hr/> 2102 <!-- Overview --> 2103 <h2 id="overview">Overview</h2> 2104 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>replace()</code> method in <code>wrapRegExp.js</code>. An attacker can cause degradation in performance by supplying input strings that exploit the quadratic complexity of the replacement algorithm. </p> 2105 <p>This is only exploitable when all of the following conditions are met: </p> 2106 <ol> 2107 <li><p>The code passes untrusted strings in the second argument to <code>.replace()</code>.</p> 2108 </li> 2109 <li><p>The compiled regular expressions being applied contain named capture groups.</p> 2110 </li> 2111 </ol> 2112 <p>In the case of <code>@babel/preset-env</code>, if the <code>targets</code> option is in use the application will be vulnerable under either of the following conditions:</p> 2113 <ol> 2114 <li><p>A browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10 is used when processing named capture groups.</p> 2115 </li> 2116 <li><p>A browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23 is used when processing duplicated named capture groups.</p> 2117 </li> 2118 </ol> 2119 <p><strong>Note:</strong> The project maintainers advise that "just updating your Babel dependencies is not enough: you will also need to re-compile your code."</p> 2120 <h2 id="workaround">Workaround</h2> 2121 <p> This vulnerability can be avoided by filtering out input containing a <code>$<</code> that is not followed by a <code>></code>.</p> 2122 <h2 id="details">Details</h2> 2123 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 2124 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 2125 <p>Let’s take the following regular expression as an example:</p> 2126 <pre><code class="language-js">regex = /A(B|C+)+D/ 2127 </code></pre> 2128 <p>This regular expression accomplishes the following:</p> 2129 <ul> 2130 <li><code>A</code> The string must start with the letter 'A'</li> 2131 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 2132 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 2133 </ul> 2134 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 2135 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 2136 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 2137 0.04s user 0.01s system 95% cpu 0.052 total 2138 2139 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 2140 1.79s user 0.02s system 99% cpu 1.812 total 2141 </code></pre> 2142 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 2143 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 2144 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 2145 <ol> 2146 <li>CCC</li> 2147 <li>CC+C</li> 2148 <li>C+CC</li> 2149 <li>C+C+C.</li> 2150 </ol> 2151 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 2152 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 2153 <table> 2154 <thead> 2155 <tr> 2156 <th>String</th> 2157 <th align="right">Number of C's</th> 2158 <th align="right">Number of steps</th> 2159 </tr> 2160 </thead> 2161 <tbody><tr> 2162 <td>ACCCX</td> 2163 <td align="right">3</td> 2164 <td align="right">38</td> 2165 </tr> 2166 <tr> 2167 <td>ACCCCX</td> 2168 <td align="right">4</td> 2169 <td align="right">71</td> 2170 </tr> 2171 <tr> 2172 <td>ACCCCCX</td> 2173 <td align="right">5</td> 2174 <td align="right">136</td> 2175 </tr> 2176 <tr> 2177 <td>ACCCCCCCCCCCCCCX</td> 2178 <td align="right">14</td> 2179 <td align="right">65,553</td> 2180 </tr> 2181 </tbody></table> 2182 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 2183 <h2 id="remediation">Remediation</h2> 2184 <p>Upgrade <code>@babel/runtime</code> to version 7.26.10, 8.0.0-alpha.17 or higher.</p> 2185 <h2 id="references">References</h2> 2186 <ul> 2187 <li><a href="https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4">GitHub Commit</a></li> 2188 <li><a href="https://gist.github.com/mmmsssttt404/1f066ed9237f514714f2cc022d631838">GitHub Gist</a></li> 2189 <li><a href="https://github.com/babel/babel/pull/17173">GitHub PR</a></li> 2190 </ul> 2191 2192 <hr/> 2193 2194 <div class="cta card__cta"> 2195 <p><a href="https://snyk.io/vuln/SNYK-JS-BABELRUNTIME-10044504">More about this vulnerability</a></p> 2196 </div> 2197 2198 </div><!-- .card --> 2199 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2200 <h2 class="card__title">Arbitrary Code Injection</h2> 2201 <div class="card__section"> 2202 2203 <div class="card__labels"> 2204 <div class="label label--low"> 2205 <span class="label__text">low severity</span> 2206 </div> 2207 </div> 2208 2209 <hr/> 2210 2211 <ul class="card__meta"> 2212 <li class="card__meta__item"> 2213 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 2214 </li> 2215 <li class="card__meta__item"> 2216 Package Manager: npm 2217 </li> 2218 <li class="card__meta__item"> 2219 Vulnerable module: 2220 2221 prismjs 2222 </li> 2223 2224 <li class="card__meta__item">Introduced through: 2225 2226 2227 argo-cd-ui@1.0.0, redoc@2.4.0 and others 2228 </li> 2229 </ul> 2230 2231 <hr/> 2232 2233 2234 <h3 class="card__section__title">Detailed paths</h3> 2235 2236 <ul class="card__meta__paths"> 2237 <li> 2238 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2239 argo-cd-ui@1.0.0 2240 <span class="list-paths__item__arrow">›</span> 2241 redoc@2.4.0 2242 <span class="list-paths__item__arrow">›</span> 2243 prismjs@1.29.0 2244 2245 </span> 2246 2247 </li> 2248 </ul><!-- .list-paths --> 2249 2250 </div><!-- .card__section --> 2251 2252 <hr/> 2253 <!-- Overview --> 2254 <h2 id="overview">Overview</h2> 2255 <p><a href="http://prismjs.com/">prismjs</a> is a lightweight, robust, elegant syntax highlighting library.</p> 2256 <p>Affected versions of this package are vulnerable to Arbitrary Code Injection via the <code>document.currentScript</code> lookup process. An attacker can manipulate the web page content and execute unintended actions by injecting HTML elements that overshadow legitimate DOM elements.</p> 2257 <p><strong>Note:</strong></p> 2258 <p>This is only exploitable if the application accepts untrusted input containing HTML but not direct JavaScript.</p> 2259 <h2 id="remediation">Remediation</h2> 2260 <p>Upgrade <code>prismjs</code> to version 1.30.0 or higher.</p> 2261 <h2 id="references">References</h2> 2262 <ul> 2263 <li><a href="https://github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d">GitHub Commit</a></li> 2264 <li><a href="https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660">GitHub Gist</a></li> 2265 <li><a href="https://github.com/PrismJS/prism/pull/3863">GitHub PR</a></li> 2266 <li><a href="https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259">Vulnerable Code</a></li> 2267 </ul> 2268 2269 <hr/> 2270 2271 <div class="cta card__cta"> 2272 <p><a href="https://snyk.io/vuln/SNYK-JS-PRISMJS-9055448">More about this vulnerability</a></p> 2273 </div> 2274 2275 </div><!-- .card --> 2276 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2277 <h2 class="card__title">Insecure Randomness</h2> 2278 <div class="card__section"> 2279 2280 <div class="card__labels"> 2281 <div class="label label--low"> 2282 <span class="label__text">low severity</span> 2283 </div> 2284 </div> 2285 2286 <hr/> 2287 2288 <ul class="card__meta"> 2289 <li class="card__meta__item"> 2290 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 2291 </li> 2292 <li class="card__meta__item"> 2293 Package Manager: npm 2294 </li> 2295 <li class="card__meta__item"> 2296 Vulnerable module: 2297 2298 formidable 2299 </li> 2300 2301 <li class="card__meta__item">Introduced through: 2302 2303 2304 argo-cd-ui@1.0.0, superagent@8.1.2 and others 2305 </li> 2306 </ul> 2307 2308 <hr/> 2309 2310 2311 <h3 class="card__section__title">Detailed paths</h3> 2312 2313 <ul class="card__meta__paths"> 2314 <li> 2315 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2316 argo-cd-ui@1.0.0 2317 <span class="list-paths__item__arrow">›</span> 2318 superagent@8.1.2 2319 <span class="list-paths__item__arrow">›</span> 2320 formidable@2.1.2 2321 2322 </span> 2323 2324 </li> 2325 </ul><!-- .list-paths --> 2326 2327 </div><!-- .card__section --> 2328 2329 <hr/> 2330 <!-- Overview --> 2331 <h2 id="overview">Overview</h2> 2332 <p>Affected versions of this package are vulnerable to Insecure Randomness due to its use of the <code>hexoid()</code> function in the generation of fingerprint IDs.</p> 2333 <h2 id="remediation">Remediation</h2> 2334 <p>Upgrade <code>formidable</code> to version 2.1.3, 3.5.3 or higher.</p> 2335 <h2 id="references">References</h2> 2336 <ul> 2337 <li><a href="https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5">GitHub Commit</a></li> 2338 <li><a href="https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md">Vulnerability Report</a></li> 2339 </ul> 2340 2341 <hr/> 2342 2343 <div class="cta card__cta"> 2344 <p><a href="https://snyk.io/vuln/SNYK-JS-FORMIDABLE-9788127">More about this vulnerability</a></p> 2345 </div> 2346 2347 </div><!-- .card --> 2348 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2349 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 2350 <div class="card__section"> 2351 2352 <div class="card__labels"> 2353 <div class="label label--low"> 2354 <span class="label__text">low severity</span> 2355 </div> 2356 </div> 2357 2358 <hr/> 2359 2360 <ul class="card__meta"> 2361 <li class="card__meta__item"> 2362 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 2363 </li> 2364 <li class="card__meta__item"> 2365 Package Manager: npm 2366 </li> 2367 <li class="card__meta__item"> 2368 Vulnerable module: 2369 2370 brace-expansion 2371 </li> 2372 2373 <li class="card__meta__item">Introduced through: 2374 2375 2376 argo-cd-ui@1.0.0, minimatch@3.1.2 and others 2377 </li> 2378 </ul> 2379 2380 <hr/> 2381 2382 2383 <h3 class="card__section__title">Detailed paths</h3> 2384 2385 <ul class="card__meta__paths"> 2386 <li> 2387 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2388 argo-cd-ui@1.0.0 2389 <span class="list-paths__item__arrow">›</span> 2390 minimatch@3.1.2 2391 <span class="list-paths__item__arrow">›</span> 2392 brace-expansion@1.1.11 2393 2394 </span> 2395 2396 </li> 2397 <li> 2398 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2399 argo-cd-ui@1.0.0 2400 <span class="list-paths__item__arrow">›</span> 2401 redoc@2.4.0 2402 <span class="list-paths__item__arrow">›</span> 2403 @redocly/openapi-core@1.30.0 2404 <span class="list-paths__item__arrow">›</span> 2405 minimatch@5.1.6 2406 <span class="list-paths__item__arrow">›</span> 2407 brace-expansion@2.0.1 2408 2409 </span> 2410 2411 </li> 2412 </ul><!-- .list-paths --> 2413 2414 </div><!-- .card__section --> 2415 2416 <hr/> 2417 <!-- Overview --> 2418 <h2 id="overview">Overview</h2> 2419 <p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p> 2420 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>expand()</code> function, which is prone to catastrophic backtracking on very long malicious inputs.</p> 2421 <h2 id="poc">PoC</h2> 2422 <pre><code class="language-js">import index from "./index.js"; 2423 2424 let str = "{a}" + ",".repeat(100000) + "\u0000"; 2425 2426 let startTime = performance.now(); 2427 2428 const result = index(str); 2429 2430 let endTime = performance.now(); 2431 2432 let timeTaken = endTime - startTime; 2433 2434 console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`); 2435 </code></pre> 2436 <h2 id="details">Details</h2> 2437 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 2438 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 2439 <p>Let’s take the following regular expression as an example:</p> 2440 <pre><code class="language-js">regex = /A(B|C+)+D/ 2441 </code></pre> 2442 <p>This regular expression accomplishes the following:</p> 2443 <ul> 2444 <li><code>A</code> The string must start with the letter 'A'</li> 2445 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 2446 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 2447 </ul> 2448 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 2449 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 2450 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 2451 0.04s user 0.01s system 95% cpu 0.052 total 2452 2453 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 2454 1.79s user 0.02s system 99% cpu 1.812 total 2455 </code></pre> 2456 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 2457 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 2458 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 2459 <ol> 2460 <li>CCC</li> 2461 <li>CC+C</li> 2462 <li>C+CC</li> 2463 <li>C+C+C.</li> 2464 </ol> 2465 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 2466 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 2467 <table> 2468 <thead> 2469 <tr> 2470 <th>String</th> 2471 <th align="right">Number of C's</th> 2472 <th align="right">Number of steps</th> 2473 </tr> 2474 </thead> 2475 <tbody><tr> 2476 <td>ACCCX</td> 2477 <td align="right">3</td> 2478 <td align="right">38</td> 2479 </tr> 2480 <tr> 2481 <td>ACCCCX</td> 2482 <td align="right">4</td> 2483 <td align="right">71</td> 2484 </tr> 2485 <tr> 2486 <td>ACCCCCX</td> 2487 <td align="right">5</td> 2488 <td align="right">136</td> 2489 </tr> 2490 <tr> 2491 <td>ACCCCCCCCCCCCCCX</td> 2492 <td align="right">14</td> 2493 <td align="right">65,553</td> 2494 </tr> 2495 </tbody></table> 2496 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 2497 <h2 id="remediation">Remediation</h2> 2498 <p>Upgrade <code>brace-expansion</code> to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.</p> 2499 <h2 id="references">References</h2> 2500 <ul> 2501 <li><a href="https://github.com/advisories/GHSA-v6h2-p8h4-qcjw">GitHub Advisory</a></li> 2502 <li><a href="https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2">GitHub Commit</a></li> 2503 <li><a href="https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466">GitHub Gist</a></li> 2504 <li><a href="https://github.com/juliangruber/brace-expansion/pull/65">GitHub PR</a></li> 2505 </ul> 2506 2507 <hr/> 2508 2509 <div class="cta card__cta"> 2510 <p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073">More about this vulnerability</a></p> 2511 </div> 2512 2513 </div><!-- .card --> 2514 </div><!-- cards --> 2515 </div> 2516 </main><!-- .layout-stacked__content --> 2517 </body> 2518 2519 </html>