github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/v3.0.16/argocd-test.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="16 known vulnerabilities found in 106 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:26:50 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">/argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)</li> 496 <li class="paths">/argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)</li> 497 <li class="paths">/argo-cd/ui/yarn.lock (yarn)</li> 498 </ul> 499 </div> 500 501 <div class="meta-counts"> 502 <div class="meta-count"><span>16</span> <span>known vulnerabilities</span></div> 503 <div class="meta-count"><span>106 vulnerable dependency paths</span></div> 504 <div class="meta-count"><span>2085</span> <span>dependencies</span></div> 505 </div><!-- .meta-counts --> 506 </div><!-- .layout-container--short --> 507 </header><!-- .project__header --> 508 </div><!-- .layout-stacked__header --> 509 510 <div class="layout-container" style="padding-top: 35px;"> 511 <div class="cards--vuln filter--patch filter--ignore"> 512 <div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical"> 513 <h2 class="card__title">Predictable Value Range from Previous Values</h2> 514 <div class="card__section"> 515 516 <div class="card__labels"> 517 <div class="label label--critical"> 518 <span class="label__text">critical severity</span> 519 </div> 520 </div> 521 522 <hr/> 523 524 <ul class="card__meta"> 525 <li class="card__meta__item"> 526 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 527 </li> 528 <li class="card__meta__item"> 529 Package Manager: npm 530 </li> 531 <li class="card__meta__item"> 532 Vulnerable module: 533 534 form-data 535 </li> 536 537 <li class="card__meta__item">Introduced through: 538 539 540 argo-cd-ui@1.0.0, superagent@8.1.2 and others 541 </li> 542 </ul> 543 544 <hr/> 545 546 547 <h3 class="card__section__title">Detailed paths</h3> 548 549 <ul class="card__meta__paths"> 550 <li> 551 <span class="list-paths__item__introduced"><em>Introduced through</em>: 552 argo-cd-ui@1.0.0 553 <span class="list-paths__item__arrow">›</span> 554 superagent@8.1.2 555 <span class="list-paths__item__arrow">›</span> 556 form-data@4.0.0 557 558 </span> 559 560 </li> 561 </ul><!-- .list-paths --> 562 563 </div><!-- .card__section --> 564 565 <hr/> 566 <!-- Overview --> 567 <h2 id="overview">Overview</h2> 568 <p>Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the <code>boundary</code> value, which uses <code>Math.random()</code>. An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.</p> 569 <h2 id="remediation">Remediation</h2> 570 <p>Upgrade <code>form-data</code> to version 2.5.4, 3.0.4, 4.0.4 or higher.</p> 571 <h2 id="references">References</h2> 572 <ul> 573 <li><a href="https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0">GitHub Commit</a></li> 574 <li><a href="https://github.com/form-data/form-data/commit/b88316c94bb004323669cd3639dc8bb8262539eb">GitHub Commit</a></li> 575 <li><a href="https://github.com/form-data/form-data/commit/c6ced61d4fae8f617ee2fd692133ed87baa5d0fd">GitHub Commit</a></li> 576 <li><a href="https://github.com/benweissmann/CVE-2025-7783-poc">POC</a></li> 577 <li><a href="https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347">Vulnerable Code</a></li> 578 </ul> 579 580 <hr/> 581 582 <div class="cta card__cta"> 583 <p><a href="https://snyk.io/vuln/SNYK-JS-FORMDATA-10841150">More about this vulnerability</a></p> 584 </div> 585 586 </div><!-- .card --> 587 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 588 <h2 class="card__title">Prototype Pollution</h2> 589 <div class="card__section"> 590 591 <div class="card__labels"> 592 <div class="label label--high"> 593 <span class="label__text">high severity</span> 594 </div> 595 </div> 596 597 <hr/> 598 599 <ul class="card__meta"> 600 <li class="card__meta__item"> 601 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 602 </li> 603 <li class="card__meta__item"> 604 Package Manager: npm 605 </li> 606 <li class="card__meta__item"> 607 Vulnerable module: 608 609 redoc 610 </li> 611 612 <li class="card__meta__item">Introduced through: 613 614 argo-cd-ui@1.0.0 and redoc@2.0.0-rc.64 615 616 </li> 617 </ul> 618 619 <hr/> 620 621 622 <h3 class="card__section__title">Detailed paths</h3> 623 624 <ul class="card__meta__paths"> 625 <li> 626 <span class="list-paths__item__introduced"><em>Introduced through</em>: 627 argo-cd-ui@1.0.0 628 <span class="list-paths__item__arrow">›</span> 629 redoc@2.0.0-rc.64 630 631 </span> 632 633 </li> 634 </ul><!-- .list-paths --> 635 636 </div><!-- .card__section --> 637 638 <hr/> 639 <!-- Overview --> 640 <h2 id="overview">Overview</h2> 641 <p><a href="https://www.npmjs.com/package/redoc">redoc</a> is an OpenAPI/Swagger-generated API Reference Documentation.</p> 642 <p>Affected versions of this package are vulnerable to Prototype Pollution via the <code>mergeObjects()</code> method in <code>utils/helpers.ts</code> due to improper user input sanitization.</p> 643 <h2 id="poc">PoC</h2> 644 <pre><code class="language-js">(async () => { 645 const lib = await import('redoc'); 646 647 var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}'); 648 var victim = {} 649 console.log("Before Attack: ", JSON.stringify(victim.__proto__)); 650 try { 651 lib.mergeObjects ({}, BAD_JSON) 652 } catch (e) { } 653 console.log("After Attack: ", JSON.stringify(victim.__proto__)); 654 delete Object.prototype.polluted; 655 })(); 656 </code></pre> 657 <h2 id="details">Details</h2> 658 <p>Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as <code>__proto__</code>, <code>constructor</code> and <code>prototype</code>. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the <code>Object.prototype</code> are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.</p> 659 <p>There are two main ways in which the pollution of prototypes occurs:</p> 660 <ul> 661 <li><p>Unsafe <code>Object</code> recursive merge</p> 662 </li> 663 <li><p>Property definition by path</p> 664 </li> 665 </ul> 666 <h3 id="unsafe-object-recursive-merge">Unsafe Object recursive merge</h3> 667 <p>The logic of a vulnerable recursive merge function follows the following high-level model:</p> 668 <pre><code>merge (target, source) 669 670 foreach property of source 671 672 if property exists and is an object on both the target and the source 673 674 merge(target[property], source[property]) 675 676 else 677 678 target[property] = source[property] 679 </code></pre> 680 <br> 681 682 <p>When the source object contains a property named <code>__proto__</code> defined with <code>Object.defineProperty()</code> , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of <code>Object</code> and the source of <code>Object</code> as defined by the attacker. Properties are then copied on the <code>Object</code> prototype.</p> 683 <p>Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: <code>merge({},source)</code>.</p> 684 <p><code>lodash</code> and <code>Hoek</code> are examples of libraries susceptible to recursive merge attacks.</p> 685 <h3 id="property-definition-by-path">Property definition by path</h3> 686 <p>There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: <code>theFunction(object, path, value)</code></p> 687 <p>If the attacker can control the value of “path”, they can set this value to <code>__proto__.myValue</code>. <code>myValue</code> is then assigned to the prototype of the class of the object.</p> 688 <h2 id="types-of-attacks">Types of attacks</h2> 689 <p>There are a few methods by which Prototype Pollution can be manipulated:</p> 690 <table> 691 <thead> 692 <tr> 693 <th>Type</th> 694 <th>Origin</th> 695 <th>Short description</th> 696 </tr> 697 </thead> 698 <tbody><tr> 699 <td><strong>Denial of service (DoS)</strong></td> 700 <td>Client</td> 701 <td>This is the most likely attack. <br>DoS occurs when <code>Object</code> holds generic functions that are implicitly called for various operations (for example, <code>toString</code> and <code>valueOf</code>). <br> The attacker pollutes <code>Object.prototype.someattr</code> and alters its state to an unexpected value such as <code>Int</code> or <code>Object</code>. In this case, the code fails and is likely to cause a denial of service. <br><strong>For example:</strong> if an attacker pollutes <code>Object.prototype.toString</code> by defining it as an integer, if the codebase at any point was reliant on <code>someobject.toString()</code> it would fail.</td> 702 </tr> 703 <tr> 704 <td><strong>Remote Code Execution</strong></td> 705 <td>Client</td> 706 <td>Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.<br><strong>For example:</strong> <code>eval(someobject.someattr)</code>. In this case, if the attacker pollutes <code>Object.prototype.someattr</code> they are likely to be able to leverage this in order to execute code.</td> 707 </tr> 708 <tr> 709 <td><strong>Property Injection</strong></td> 710 <td>Client</td> 711 <td>The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.<br> <strong>For example:</strong> if a codebase checks privileges for <code>someuser.isAdmin</code>, then when the attacker pollutes <code>Object.prototype.isAdmin</code> and sets it to equal <code>true</code>, they can then achieve admin privileges.</td> 712 </tr> 713 </tbody></table> 714 <h2 id="affected-environments">Affected environments</h2> 715 <p>The following environments are susceptible to a Prototype Pollution attack:</p> 716 <ul> 717 <li><p>Application server</p> 718 </li> 719 <li><p>Web server</p> 720 </li> 721 <li><p>Web browser</p> 722 </li> 723 </ul> 724 <h2 id="how-to-prevent">How to prevent</h2> 725 <ol> 726 <li><p>Freeze the prototype— use <code>Object.freeze (Object.prototype)</code>.</p> 727 </li> 728 <li><p>Require schema validation of JSON input.</p> 729 </li> 730 <li><p>Avoid using unsafe recursive merge functions.</p> 731 </li> 732 <li><p>Consider using objects without prototypes (for example, <code>Object.create(null)</code>), breaking the prototype chain and preventing pollution.</p> 733 </li> 734 <li><p>As a best practice use <code>Map</code> instead of <code>Object</code>.</p> 735 </li> 736 </ol> 737 <h3 id="for-more-information-on-this-vulnerability-type">For more information on this vulnerability type:</h3> 738 <p><a href="https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf">Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018</a></p> 739 <h2 id="remediation">Remediation</h2> 740 <p>Upgrade <code>redoc</code> to version 2.4.0 or higher.</p> 741 <h2 id="references">References</h2> 742 <ul> 743 <li><a href="https://github.com/Redocly/redoc/commit/153ec7a0b7245639f404c0b038b612ae7377c7db">GitHub Commit</a></li> 744 <li><a href="https://github.com/Redocly/redoc/issues/2499">GitHub Issue</a></li> 745 <li><a href="https://github.com/Redocly/redoc/releases/tag/v2.4.0">GitHub Release</a></li> 746 </ul> 747 748 <hr/> 749 750 <div class="cta card__cta"> 751 <p><a href="https://snyk.io/vuln/SNYK-JS-REDOC-8664933">More about this vulnerability</a></p> 752 </div> 753 754 </div><!-- .card --> 755 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 756 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 757 <div class="card__section"> 758 759 <div class="card__labels"> 760 <div class="label label--high"> 761 <span class="label__text">high severity</span> 762 </div> 763 </div> 764 765 <hr/> 766 767 <ul class="card__meta"> 768 <li class="card__meta__item"> 769 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 770 </li> 771 <li class="card__meta__item"> 772 Package Manager: golang 773 </li> 774 <li class="card__meta__item"> 775 Vulnerable module: 776 777 github.com/expr-lang/expr/vm 778 </li> 779 780 <li class="card__meta__item">Introduced through: 781 782 783 github.com/argoproj/argo-cd/v3@0.0.0, github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 and others 784 </li> 785 </ul> 786 787 <hr/> 788 789 790 <h3 class="card__section__title">Detailed paths</h3> 791 792 <ul class="card__meta__paths"> 793 <li> 794 <span class="list-paths__item__introduced"><em>Introduced through</em>: 795 github.com/argoproj/argo-cd/v3@0.0.0 796 <span class="list-paths__item__arrow">›</span> 797 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 798 <span class="list-paths__item__arrow">›</span> 799 github.com/expr-lang/expr/vm@1.16.9 800 801 </span> 802 803 </li> 804 <li> 805 <span class="list-paths__item__introduced"><em>Introduced through</em>: 806 github.com/argoproj/argo-cd/v3@0.0.0 807 <span class="list-paths__item__arrow">›</span> 808 github.com/expr-lang/expr@1.16.9 809 <span class="list-paths__item__arrow">›</span> 810 github.com/expr-lang/expr/vm@1.16.9 811 812 </span> 813 814 </li> 815 <li> 816 <span class="list-paths__item__introduced"><em>Introduced through</em>: 817 github.com/argoproj/argo-cd/v3@0.0.0 818 <span class="list-paths__item__arrow">›</span> 819 github.com/expr-lang/expr@1.16.9 820 <span class="list-paths__item__arrow">›</span> 821 github.com/expr-lang/expr/compiler@1.16.9 822 <span class="list-paths__item__arrow">›</span> 823 github.com/expr-lang/expr/vm@1.16.9 824 825 </span> 826 827 </li> 828 <li> 829 <span class="list-paths__item__introduced"><em>Introduced through</em>: 830 github.com/argoproj/argo-cd/v3@0.0.0 831 <span class="list-paths__item__arrow">›</span> 832 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 833 <span class="list-paths__item__arrow">›</span> 834 github.com/expr-lang/expr@1.16.9 835 <span class="list-paths__item__arrow">›</span> 836 github.com/expr-lang/expr/vm@1.16.9 837 838 </span> 839 840 </li> 841 <li> 842 <span class="list-paths__item__introduced"><em>Introduced through</em>: 843 github.com/argoproj/argo-cd/v3@0.0.0 844 <span class="list-paths__item__arrow">›</span> 845 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 846 <span class="list-paths__item__arrow">›</span> 847 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 848 <span class="list-paths__item__arrow">›</span> 849 github.com/expr-lang/expr/vm@1.16.9 850 851 </span> 852 853 </li> 854 <li> 855 <span class="list-paths__item__introduced"><em>Introduced through</em>: 856 github.com/argoproj/argo-cd/v3@0.0.0 857 <span class="list-paths__item__arrow">›</span> 858 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 859 <span class="list-paths__item__arrow">›</span> 860 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 861 <span class="list-paths__item__arrow">›</span> 862 github.com/expr-lang/expr/vm@1.16.9 863 864 </span> 865 866 </li> 867 <li> 868 <span class="list-paths__item__introduced"><em>Introduced through</em>: 869 github.com/argoproj/argo-cd/v3@0.0.0 870 <span class="list-paths__item__arrow">›</span> 871 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 872 <span class="list-paths__item__arrow">›</span> 873 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 874 <span class="list-paths__item__arrow">›</span> 875 github.com/expr-lang/expr/vm@1.16.9 876 877 </span> 878 879 </li> 880 <li> 881 <span class="list-paths__item__introduced"><em>Introduced through</em>: 882 github.com/argoproj/argo-cd/v3@0.0.0 883 <span class="list-paths__item__arrow">›</span> 884 github.com/expr-lang/expr@1.16.9 885 <span class="list-paths__item__arrow">›</span> 886 github.com/expr-lang/expr/compiler@1.16.9 887 <span class="list-paths__item__arrow">›</span> 888 github.com/expr-lang/expr/checker@1.16.9 889 <span class="list-paths__item__arrow">›</span> 890 github.com/expr-lang/expr/vm@1.16.9 891 892 </span> 893 894 </li> 895 <li> 896 <span class="list-paths__item__introduced"><em>Introduced through</em>: 897 github.com/argoproj/argo-cd/v3@0.0.0 898 <span class="list-paths__item__arrow">›</span> 899 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 900 <span class="list-paths__item__arrow">›</span> 901 github.com/expr-lang/expr@1.16.9 902 <span class="list-paths__item__arrow">›</span> 903 github.com/expr-lang/expr/compiler@1.16.9 904 <span class="list-paths__item__arrow">›</span> 905 github.com/expr-lang/expr/vm@1.16.9 906 907 </span> 908 909 </li> 910 <li> 911 <span class="list-paths__item__introduced"><em>Introduced through</em>: 912 github.com/argoproj/argo-cd/v3@0.0.0 913 <span class="list-paths__item__arrow">›</span> 914 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 915 <span class="list-paths__item__arrow">›</span> 916 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 917 <span class="list-paths__item__arrow">›</span> 918 github.com/expr-lang/expr@1.16.9 919 <span class="list-paths__item__arrow">›</span> 920 github.com/expr-lang/expr/vm@1.16.9 921 922 </span> 923 924 </li> 925 <li> 926 <span class="list-paths__item__introduced"><em>Introduced through</em>: 927 github.com/argoproj/argo-cd/v3@0.0.0 928 <span class="list-paths__item__arrow">›</span> 929 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 930 <span class="list-paths__item__arrow">›</span> 931 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 932 <span class="list-paths__item__arrow">›</span> 933 github.com/expr-lang/expr@1.16.9 934 <span class="list-paths__item__arrow">›</span> 935 github.com/expr-lang/expr/vm@1.16.9 936 937 </span> 938 939 </li> 940 <li> 941 <span class="list-paths__item__introduced"><em>Introduced through</em>: 942 github.com/argoproj/argo-cd/v3@0.0.0 943 <span class="list-paths__item__arrow">›</span> 944 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 945 <span class="list-paths__item__arrow">›</span> 946 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 947 <span class="list-paths__item__arrow">›</span> 948 github.com/expr-lang/expr@1.16.9 949 <span class="list-paths__item__arrow">›</span> 950 github.com/expr-lang/expr/vm@1.16.9 951 952 </span> 953 954 </li> 955 <li> 956 <span class="list-paths__item__introduced"><em>Introduced through</em>: 957 github.com/argoproj/argo-cd/v3@0.0.0 958 <span class="list-paths__item__arrow">›</span> 959 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 960 <span class="list-paths__item__arrow">›</span> 961 github.com/expr-lang/expr@1.16.9 962 <span class="list-paths__item__arrow">›</span> 963 github.com/expr-lang/expr/compiler@1.16.9 964 <span class="list-paths__item__arrow">›</span> 965 github.com/expr-lang/expr/checker@1.16.9 966 <span class="list-paths__item__arrow">›</span> 967 github.com/expr-lang/expr/vm@1.16.9 968 969 </span> 970 971 </li> 972 <li> 973 <span class="list-paths__item__introduced"><em>Introduced through</em>: 974 github.com/argoproj/argo-cd/v3@0.0.0 975 <span class="list-paths__item__arrow">›</span> 976 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 977 <span class="list-paths__item__arrow">›</span> 978 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 979 <span class="list-paths__item__arrow">›</span> 980 github.com/expr-lang/expr@1.16.9 981 <span class="list-paths__item__arrow">›</span> 982 github.com/expr-lang/expr/compiler@1.16.9 983 <span class="list-paths__item__arrow">›</span> 984 github.com/expr-lang/expr/vm@1.16.9 985 986 </span> 987 988 </li> 989 <li> 990 <span class="list-paths__item__introduced"><em>Introduced through</em>: 991 github.com/argoproj/argo-cd/v3@0.0.0 992 <span class="list-paths__item__arrow">›</span> 993 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 994 <span class="list-paths__item__arrow">›</span> 995 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 996 <span class="list-paths__item__arrow">›</span> 997 github.com/expr-lang/expr@1.16.9 998 <span class="list-paths__item__arrow">›</span> 999 github.com/expr-lang/expr/compiler@1.16.9 1000 <span class="list-paths__item__arrow">›</span> 1001 github.com/expr-lang/expr/vm@1.16.9 1002 1003 </span> 1004 1005 </li> 1006 <li> 1007 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1008 github.com/argoproj/argo-cd/v3@0.0.0 1009 <span class="list-paths__item__arrow">›</span> 1010 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1011 <span class="list-paths__item__arrow">›</span> 1012 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1013 <span class="list-paths__item__arrow">›</span> 1014 github.com/expr-lang/expr@1.16.9 1015 <span class="list-paths__item__arrow">›</span> 1016 github.com/expr-lang/expr/compiler@1.16.9 1017 <span class="list-paths__item__arrow">›</span> 1018 github.com/expr-lang/expr/vm@1.16.9 1019 1020 </span> 1021 1022 </li> 1023 <li> 1024 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1025 github.com/argoproj/argo-cd/v3@0.0.0 1026 <span class="list-paths__item__arrow">›</span> 1027 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1028 <span class="list-paths__item__arrow">›</span> 1029 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1030 <span class="list-paths__item__arrow">›</span> 1031 github.com/expr-lang/expr@1.16.9 1032 <span class="list-paths__item__arrow">›</span> 1033 github.com/expr-lang/expr/compiler@1.16.9 1034 <span class="list-paths__item__arrow">›</span> 1035 github.com/expr-lang/expr/checker@1.16.9 1036 <span class="list-paths__item__arrow">›</span> 1037 github.com/expr-lang/expr/vm@1.16.9 1038 1039 </span> 1040 1041 </li> 1042 <li> 1043 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1044 github.com/argoproj/argo-cd/v3@0.0.0 1045 <span class="list-paths__item__arrow">›</span> 1046 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1047 <span class="list-paths__item__arrow">›</span> 1048 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1049 <span class="list-paths__item__arrow">›</span> 1050 github.com/expr-lang/expr@1.16.9 1051 <span class="list-paths__item__arrow">›</span> 1052 github.com/expr-lang/expr/compiler@1.16.9 1053 <span class="list-paths__item__arrow">›</span> 1054 github.com/expr-lang/expr/checker@1.16.9 1055 <span class="list-paths__item__arrow">›</span> 1056 github.com/expr-lang/expr/vm@1.16.9 1057 1058 </span> 1059 1060 </li> 1061 <li> 1062 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1063 github.com/argoproj/argo-cd/v3@0.0.0 1064 <span class="list-paths__item__arrow">›</span> 1065 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1066 <span class="list-paths__item__arrow">›</span> 1067 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1068 <span class="list-paths__item__arrow">›</span> 1069 github.com/expr-lang/expr@1.16.9 1070 <span class="list-paths__item__arrow">›</span> 1071 github.com/expr-lang/expr/compiler@1.16.9 1072 <span class="list-paths__item__arrow">›</span> 1073 github.com/expr-lang/expr/checker@1.16.9 1074 <span class="list-paths__item__arrow">›</span> 1075 github.com/expr-lang/expr/vm@1.16.9 1076 1077 </span> 1078 1079 </li> 1080 </ul><!-- .list-paths --> 1081 1082 </div><!-- .card__section --> 1083 1084 <hr/> 1085 <!-- Overview --> 1086 <h2 id="overview">Overview</h2> 1087 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the <code>parseExpression()</code> function in <code>parser.go</code>, due to the unrestricted size of input strings, which can cause the generation of large Abstract Syntax Trees (ASTs). An attacker can crash the application by supplying excessively long deeply nested expression strings.</p> 1088 <h2 id="workaround">Workaround</h2> 1089 <p>This vulnerability can be avoided by checking and limiting the length of input expressions before parsing them.</p> 1090 <h2 id="remediation">Remediation</h2> 1091 <p>Upgrade <code>github.com/expr-lang/expr/vm</code> to version 1.17.0 or higher.</p> 1092 <h2 id="references">References</h2> 1093 <ul> 1094 <li><a href="https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e">GitHub Commit</a></li> 1095 <li><a href="https://github.com/expr-lang/expr/pull/762">GitHub PR</a></li> 1096 </ul> 1097 1098 <hr/> 1099 1100 <div class="cta card__cta"> 1101 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMEXPRLANGEXPRVM-9460820">More about this vulnerability</a></p> 1102 </div> 1103 1104 </div><!-- .card --> 1105 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 1106 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 1107 <div class="card__section"> 1108 1109 <div class="card__labels"> 1110 <div class="label label--high"> 1111 <span class="label__text">high severity</span> 1112 </div> 1113 </div> 1114 1115 <hr/> 1116 1117 <ul class="card__meta"> 1118 <li class="card__meta__item"> 1119 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 1120 </li> 1121 <li class="card__meta__item"> 1122 Package Manager: golang 1123 </li> 1124 <li class="card__meta__item"> 1125 Vulnerable module: 1126 1127 github.com/expr-lang/expr/parser 1128 </li> 1129 1130 <li class="card__meta__item">Introduced through: 1131 1132 1133 github.com/argoproj/argo-cd/v3@0.0.0, github.com/expr-lang/expr@1.16.9 and others 1134 </li> 1135 </ul> 1136 1137 <hr/> 1138 1139 1140 <h3 class="card__section__title">Detailed paths</h3> 1141 1142 <ul class="card__meta__paths"> 1143 <li> 1144 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1145 github.com/argoproj/argo-cd/v3@0.0.0 1146 <span class="list-paths__item__arrow">›</span> 1147 github.com/expr-lang/expr@1.16.9 1148 <span class="list-paths__item__arrow">›</span> 1149 github.com/expr-lang/expr/compiler@1.16.9 1150 <span class="list-paths__item__arrow">›</span> 1151 github.com/expr-lang/expr/parser@1.16.9 1152 1153 </span> 1154 1155 </li> 1156 <li> 1157 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1158 github.com/argoproj/argo-cd/v3@0.0.0 1159 <span class="list-paths__item__arrow">›</span> 1160 github.com/expr-lang/expr@1.16.9 1161 <span class="list-paths__item__arrow">›</span> 1162 github.com/expr-lang/expr/compiler@1.16.9 1163 <span class="list-paths__item__arrow">›</span> 1164 github.com/expr-lang/expr/checker@1.16.9 1165 <span class="list-paths__item__arrow">›</span> 1166 github.com/expr-lang/expr/parser@1.16.9 1167 1168 </span> 1169 1170 </li> 1171 <li> 1172 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1173 github.com/argoproj/argo-cd/v3@0.0.0 1174 <span class="list-paths__item__arrow">›</span> 1175 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1176 <span class="list-paths__item__arrow">›</span> 1177 github.com/expr-lang/expr@1.16.9 1178 <span class="list-paths__item__arrow">›</span> 1179 github.com/expr-lang/expr/compiler@1.16.9 1180 <span class="list-paths__item__arrow">›</span> 1181 github.com/expr-lang/expr/parser@1.16.9 1182 1183 </span> 1184 1185 </li> 1186 <li> 1187 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1188 github.com/argoproj/argo-cd/v3@0.0.0 1189 <span class="list-paths__item__arrow">›</span> 1190 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1191 <span class="list-paths__item__arrow">›</span> 1192 github.com/expr-lang/expr@1.16.9 1193 <span class="list-paths__item__arrow">›</span> 1194 github.com/expr-lang/expr/compiler@1.16.9 1195 <span class="list-paths__item__arrow">›</span> 1196 github.com/expr-lang/expr/checker@1.16.9 1197 <span class="list-paths__item__arrow">›</span> 1198 github.com/expr-lang/expr/parser@1.16.9 1199 1200 </span> 1201 1202 </li> 1203 <li> 1204 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1205 github.com/argoproj/argo-cd/v3@0.0.0 1206 <span class="list-paths__item__arrow">›</span> 1207 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1208 <span class="list-paths__item__arrow">›</span> 1209 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1210 <span class="list-paths__item__arrow">›</span> 1211 github.com/expr-lang/expr@1.16.9 1212 <span class="list-paths__item__arrow">›</span> 1213 github.com/expr-lang/expr/compiler@1.16.9 1214 <span class="list-paths__item__arrow">›</span> 1215 github.com/expr-lang/expr/parser@1.16.9 1216 1217 </span> 1218 1219 </li> 1220 <li> 1221 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1222 github.com/argoproj/argo-cd/v3@0.0.0 1223 <span class="list-paths__item__arrow">›</span> 1224 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1225 <span class="list-paths__item__arrow">›</span> 1226 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1227 <span class="list-paths__item__arrow">›</span> 1228 github.com/expr-lang/expr@1.16.9 1229 <span class="list-paths__item__arrow">›</span> 1230 github.com/expr-lang/expr/compiler@1.16.9 1231 <span class="list-paths__item__arrow">›</span> 1232 github.com/expr-lang/expr/parser@1.16.9 1233 1234 </span> 1235 1236 </li> 1237 <li> 1238 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1239 github.com/argoproj/argo-cd/v3@0.0.0 1240 <span class="list-paths__item__arrow">›</span> 1241 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1242 <span class="list-paths__item__arrow">›</span> 1243 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1244 <span class="list-paths__item__arrow">›</span> 1245 github.com/expr-lang/expr@1.16.9 1246 <span class="list-paths__item__arrow">›</span> 1247 github.com/expr-lang/expr/compiler@1.16.9 1248 <span class="list-paths__item__arrow">›</span> 1249 github.com/expr-lang/expr/parser@1.16.9 1250 1251 </span> 1252 1253 </li> 1254 <li> 1255 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1256 github.com/argoproj/argo-cd/v3@0.0.0 1257 <span class="list-paths__item__arrow">›</span> 1258 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1259 <span class="list-paths__item__arrow">›</span> 1260 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1261 <span class="list-paths__item__arrow">›</span> 1262 github.com/expr-lang/expr@1.16.9 1263 <span class="list-paths__item__arrow">›</span> 1264 github.com/expr-lang/expr/compiler@1.16.9 1265 <span class="list-paths__item__arrow">›</span> 1266 github.com/expr-lang/expr/checker@1.16.9 1267 <span class="list-paths__item__arrow">›</span> 1268 github.com/expr-lang/expr/parser@1.16.9 1269 1270 </span> 1271 1272 </li> 1273 <li> 1274 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1275 github.com/argoproj/argo-cd/v3@0.0.0 1276 <span class="list-paths__item__arrow">›</span> 1277 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1278 <span class="list-paths__item__arrow">›</span> 1279 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1280 <span class="list-paths__item__arrow">›</span> 1281 github.com/expr-lang/expr@1.16.9 1282 <span class="list-paths__item__arrow">›</span> 1283 github.com/expr-lang/expr/compiler@1.16.9 1284 <span class="list-paths__item__arrow">›</span> 1285 github.com/expr-lang/expr/checker@1.16.9 1286 <span class="list-paths__item__arrow">›</span> 1287 github.com/expr-lang/expr/parser@1.16.9 1288 1289 </span> 1290 1291 </li> 1292 <li> 1293 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1294 github.com/argoproj/argo-cd/v3@0.0.0 1295 <span class="list-paths__item__arrow">›</span> 1296 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1297 <span class="list-paths__item__arrow">›</span> 1298 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1299 <span class="list-paths__item__arrow">›</span> 1300 github.com/expr-lang/expr@1.16.9 1301 <span class="list-paths__item__arrow">›</span> 1302 github.com/expr-lang/expr/compiler@1.16.9 1303 <span class="list-paths__item__arrow">›</span> 1304 github.com/expr-lang/expr/checker@1.16.9 1305 <span class="list-paths__item__arrow">›</span> 1306 github.com/expr-lang/expr/parser@1.16.9 1307 1308 </span> 1309 1310 </li> 1311 </ul><!-- .list-paths --> 1312 1313 </div><!-- .card__section --> 1314 1315 <hr/> 1316 <!-- Overview --> 1317 <h2 id="overview">Overview</h2> 1318 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the <code>parseExpression()</code> function in <code>parser.go</code>, due to the unrestricted size of input strings, which can cause the generation of large Abstract Syntax Trees (ASTs). An attacker can crash the application by supplying excessively long deeply nested expression strings.</p> 1319 <h2 id="workaround">Workaround</h2> 1320 <p>This vulnerability can be avoided by checking and limiting the length of input expressions before parsing them.</p> 1321 <h2 id="remediation">Remediation</h2> 1322 <p>Upgrade <code>github.com/expr-lang/expr/parser</code> to version 1.17.0 or higher.</p> 1323 <h2 id="references">References</h2> 1324 <ul> 1325 <li><a href="https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e">GitHub Commit</a></li> 1326 <li><a href="https://github.com/expr-lang/expr/pull/762">GitHub PR</a></li> 1327 </ul> 1328 1329 <hr/> 1330 1331 <div class="cta card__cta"> 1332 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMEXPRLANGEXPRPARSER-9460819">More about this vulnerability</a></p> 1333 </div> 1334 1335 </div><!-- .card --> 1336 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 1337 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 1338 <div class="card__section"> 1339 1340 <div class="card__labels"> 1341 <div class="label label--high"> 1342 <span class="label__text">high severity</span> 1343 </div> 1344 </div> 1345 1346 <hr/> 1347 1348 <ul class="card__meta"> 1349 <li class="card__meta__item"> 1350 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 1351 </li> 1352 <li class="card__meta__item"> 1353 Package Manager: golang 1354 </li> 1355 <li class="card__meta__item"> 1356 Vulnerable module: 1357 1358 github.com/expr-lang/expr/conf 1359 </li> 1360 1361 <li class="card__meta__item">Introduced through: 1362 1363 1364 github.com/argoproj/argo-cd/v3@0.0.0, github.com/expr-lang/expr@1.16.9 and others 1365 </li> 1366 </ul> 1367 1368 <hr/> 1369 1370 1371 <h3 class="card__section__title">Detailed paths</h3> 1372 1373 <ul class="card__meta__paths"> 1374 <li> 1375 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1376 github.com/argoproj/argo-cd/v3@0.0.0 1377 <span class="list-paths__item__arrow">›</span> 1378 github.com/expr-lang/expr@1.16.9 1379 <span class="list-paths__item__arrow">›</span> 1380 github.com/expr-lang/expr/conf@1.16.9 1381 1382 </span> 1383 1384 </li> 1385 <li> 1386 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1387 github.com/argoproj/argo-cd/v3@0.0.0 1388 <span class="list-paths__item__arrow">›</span> 1389 github.com/expr-lang/expr@1.16.9 1390 <span class="list-paths__item__arrow">›</span> 1391 github.com/expr-lang/expr/compiler@1.16.9 1392 <span class="list-paths__item__arrow">›</span> 1393 github.com/expr-lang/expr/conf@1.16.9 1394 1395 </span> 1396 1397 </li> 1398 <li> 1399 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1400 github.com/argoproj/argo-cd/v3@0.0.0 1401 <span class="list-paths__item__arrow">›</span> 1402 github.com/expr-lang/expr@1.16.9 1403 <span class="list-paths__item__arrow">›</span> 1404 github.com/expr-lang/expr/optimizer@1.16.9 1405 <span class="list-paths__item__arrow">›</span> 1406 github.com/expr-lang/expr/conf@1.16.9 1407 1408 </span> 1409 1410 </li> 1411 <li> 1412 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1413 github.com/argoproj/argo-cd/v3@0.0.0 1414 <span class="list-paths__item__arrow">›</span> 1415 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1416 <span class="list-paths__item__arrow">›</span> 1417 github.com/expr-lang/expr@1.16.9 1418 <span class="list-paths__item__arrow">›</span> 1419 github.com/expr-lang/expr/conf@1.16.9 1420 1421 </span> 1422 1423 </li> 1424 <li> 1425 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1426 github.com/argoproj/argo-cd/v3@0.0.0 1427 <span class="list-paths__item__arrow">›</span> 1428 github.com/expr-lang/expr@1.16.9 1429 <span class="list-paths__item__arrow">›</span> 1430 github.com/expr-lang/expr/patcher@1.16.9 1431 <span class="list-paths__item__arrow">›</span> 1432 github.com/expr-lang/expr/conf@1.16.9 1433 1434 </span> 1435 1436 </li> 1437 <li> 1438 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1439 github.com/argoproj/argo-cd/v3@0.0.0 1440 <span class="list-paths__item__arrow">›</span> 1441 github.com/expr-lang/expr@1.16.9 1442 <span class="list-paths__item__arrow">›</span> 1443 github.com/expr-lang/expr/compiler@1.16.9 1444 <span class="list-paths__item__arrow">›</span> 1445 github.com/expr-lang/expr/checker@1.16.9 1446 <span class="list-paths__item__arrow">›</span> 1447 github.com/expr-lang/expr/conf@1.16.9 1448 1449 </span> 1450 1451 </li> 1452 <li> 1453 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1454 github.com/argoproj/argo-cd/v3@0.0.0 1455 <span class="list-paths__item__arrow">›</span> 1456 github.com/expr-lang/expr@1.16.9 1457 <span class="list-paths__item__arrow">›</span> 1458 github.com/expr-lang/expr/compiler@1.16.9 1459 <span class="list-paths__item__arrow">›</span> 1460 github.com/expr-lang/expr/parser@1.16.9 1461 <span class="list-paths__item__arrow">›</span> 1462 github.com/expr-lang/expr/conf@1.16.9 1463 1464 </span> 1465 1466 </li> 1467 <li> 1468 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1469 github.com/argoproj/argo-cd/v3@0.0.0 1470 <span class="list-paths__item__arrow">›</span> 1471 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1472 <span class="list-paths__item__arrow">›</span> 1473 github.com/expr-lang/expr@1.16.9 1474 <span class="list-paths__item__arrow">›</span> 1475 github.com/expr-lang/expr/compiler@1.16.9 1476 <span class="list-paths__item__arrow">›</span> 1477 github.com/expr-lang/expr/conf@1.16.9 1478 1479 </span> 1480 1481 </li> 1482 <li> 1483 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1484 github.com/argoproj/argo-cd/v3@0.0.0 1485 <span class="list-paths__item__arrow">›</span> 1486 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1487 <span class="list-paths__item__arrow">›</span> 1488 github.com/expr-lang/expr@1.16.9 1489 <span class="list-paths__item__arrow">›</span> 1490 github.com/expr-lang/expr/optimizer@1.16.9 1491 <span class="list-paths__item__arrow">›</span> 1492 github.com/expr-lang/expr/conf@1.16.9 1493 1494 </span> 1495 1496 </li> 1497 <li> 1498 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1499 github.com/argoproj/argo-cd/v3@0.0.0 1500 <span class="list-paths__item__arrow">›</span> 1501 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1502 <span class="list-paths__item__arrow">›</span> 1503 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1504 <span class="list-paths__item__arrow">›</span> 1505 github.com/expr-lang/expr@1.16.9 1506 <span class="list-paths__item__arrow">›</span> 1507 github.com/expr-lang/expr/conf@1.16.9 1508 1509 </span> 1510 1511 </li> 1512 <li> 1513 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1514 github.com/argoproj/argo-cd/v3@0.0.0 1515 <span class="list-paths__item__arrow">›</span> 1516 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1517 <span class="list-paths__item__arrow">›</span> 1518 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1519 <span class="list-paths__item__arrow">›</span> 1520 github.com/expr-lang/expr@1.16.9 1521 <span class="list-paths__item__arrow">›</span> 1522 github.com/expr-lang/expr/conf@1.16.9 1523 1524 </span> 1525 1526 </li> 1527 <li> 1528 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1529 github.com/argoproj/argo-cd/v3@0.0.0 1530 <span class="list-paths__item__arrow">›</span> 1531 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1532 <span class="list-paths__item__arrow">›</span> 1533 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1534 <span class="list-paths__item__arrow">›</span> 1535 github.com/expr-lang/expr@1.16.9 1536 <span class="list-paths__item__arrow">›</span> 1537 github.com/expr-lang/expr/conf@1.16.9 1538 1539 </span> 1540 1541 </li> 1542 <li> 1543 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1544 github.com/argoproj/argo-cd/v3@0.0.0 1545 <span class="list-paths__item__arrow">›</span> 1546 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1547 <span class="list-paths__item__arrow">›</span> 1548 github.com/expr-lang/expr@1.16.9 1549 <span class="list-paths__item__arrow">›</span> 1550 github.com/expr-lang/expr/patcher@1.16.9 1551 <span class="list-paths__item__arrow">›</span> 1552 github.com/expr-lang/expr/conf@1.16.9 1553 1554 </span> 1555 1556 </li> 1557 <li> 1558 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1559 github.com/argoproj/argo-cd/v3@0.0.0 1560 <span class="list-paths__item__arrow">›</span> 1561 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1562 <span class="list-paths__item__arrow">›</span> 1563 github.com/expr-lang/expr@1.16.9 1564 <span class="list-paths__item__arrow">›</span> 1565 github.com/expr-lang/expr/compiler@1.16.9 1566 <span class="list-paths__item__arrow">›</span> 1567 github.com/expr-lang/expr/checker@1.16.9 1568 <span class="list-paths__item__arrow">›</span> 1569 github.com/expr-lang/expr/conf@1.16.9 1570 1571 </span> 1572 1573 </li> 1574 <li> 1575 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1576 github.com/argoproj/argo-cd/v3@0.0.0 1577 <span class="list-paths__item__arrow">›</span> 1578 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1579 <span class="list-paths__item__arrow">›</span> 1580 github.com/expr-lang/expr@1.16.9 1581 <span class="list-paths__item__arrow">›</span> 1582 github.com/expr-lang/expr/compiler@1.16.9 1583 <span class="list-paths__item__arrow">›</span> 1584 github.com/expr-lang/expr/parser@1.16.9 1585 <span class="list-paths__item__arrow">›</span> 1586 github.com/expr-lang/expr/conf@1.16.9 1587 1588 </span> 1589 1590 </li> 1591 <li> 1592 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1593 github.com/argoproj/argo-cd/v3@0.0.0 1594 <span class="list-paths__item__arrow">›</span> 1595 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1596 <span class="list-paths__item__arrow">›</span> 1597 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1598 <span class="list-paths__item__arrow">›</span> 1599 github.com/expr-lang/expr@1.16.9 1600 <span class="list-paths__item__arrow">›</span> 1601 github.com/expr-lang/expr/compiler@1.16.9 1602 <span class="list-paths__item__arrow">›</span> 1603 github.com/expr-lang/expr/conf@1.16.9 1604 1605 </span> 1606 1607 </li> 1608 <li> 1609 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1610 github.com/argoproj/argo-cd/v3@0.0.0 1611 <span class="list-paths__item__arrow">›</span> 1612 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1613 <span class="list-paths__item__arrow">›</span> 1614 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1615 <span class="list-paths__item__arrow">›</span> 1616 github.com/expr-lang/expr@1.16.9 1617 <span class="list-paths__item__arrow">›</span> 1618 github.com/expr-lang/expr/compiler@1.16.9 1619 <span class="list-paths__item__arrow">›</span> 1620 github.com/expr-lang/expr/conf@1.16.9 1621 1622 </span> 1623 1624 </li> 1625 <li> 1626 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1627 github.com/argoproj/argo-cd/v3@0.0.0 1628 <span class="list-paths__item__arrow">›</span> 1629 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1630 <span class="list-paths__item__arrow">›</span> 1631 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1632 <span class="list-paths__item__arrow">›</span> 1633 github.com/expr-lang/expr@1.16.9 1634 <span class="list-paths__item__arrow">›</span> 1635 github.com/expr-lang/expr/compiler@1.16.9 1636 <span class="list-paths__item__arrow">›</span> 1637 github.com/expr-lang/expr/conf@1.16.9 1638 1639 </span> 1640 1641 </li> 1642 <li> 1643 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1644 github.com/argoproj/argo-cd/v3@0.0.0 1645 <span class="list-paths__item__arrow">›</span> 1646 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1647 <span class="list-paths__item__arrow">›</span> 1648 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1649 <span class="list-paths__item__arrow">›</span> 1650 github.com/expr-lang/expr@1.16.9 1651 <span class="list-paths__item__arrow">›</span> 1652 github.com/expr-lang/expr/optimizer@1.16.9 1653 <span class="list-paths__item__arrow">›</span> 1654 github.com/expr-lang/expr/conf@1.16.9 1655 1656 </span> 1657 1658 </li> 1659 <li> 1660 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1661 github.com/argoproj/argo-cd/v3@0.0.0 1662 <span class="list-paths__item__arrow">›</span> 1663 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1664 <span class="list-paths__item__arrow">›</span> 1665 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1666 <span class="list-paths__item__arrow">›</span> 1667 github.com/expr-lang/expr@1.16.9 1668 <span class="list-paths__item__arrow">›</span> 1669 github.com/expr-lang/expr/optimizer@1.16.9 1670 <span class="list-paths__item__arrow">›</span> 1671 github.com/expr-lang/expr/conf@1.16.9 1672 1673 </span> 1674 1675 </li> 1676 <li> 1677 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1678 github.com/argoproj/argo-cd/v3@0.0.0 1679 <span class="list-paths__item__arrow">›</span> 1680 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1681 <span class="list-paths__item__arrow">›</span> 1682 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1683 <span class="list-paths__item__arrow">›</span> 1684 github.com/expr-lang/expr@1.16.9 1685 <span class="list-paths__item__arrow">›</span> 1686 github.com/expr-lang/expr/optimizer@1.16.9 1687 <span class="list-paths__item__arrow">›</span> 1688 github.com/expr-lang/expr/conf@1.16.9 1689 1690 </span> 1691 1692 </li> 1693 <li> 1694 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1695 github.com/argoproj/argo-cd/v3@0.0.0 1696 <span class="list-paths__item__arrow">›</span> 1697 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1698 <span class="list-paths__item__arrow">›</span> 1699 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1700 <span class="list-paths__item__arrow">›</span> 1701 github.com/expr-lang/expr@1.16.9 1702 <span class="list-paths__item__arrow">›</span> 1703 github.com/expr-lang/expr/patcher@1.16.9 1704 <span class="list-paths__item__arrow">›</span> 1705 github.com/expr-lang/expr/conf@1.16.9 1706 1707 </span> 1708 1709 </li> 1710 <li> 1711 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1712 github.com/argoproj/argo-cd/v3@0.0.0 1713 <span class="list-paths__item__arrow">›</span> 1714 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1715 <span class="list-paths__item__arrow">›</span> 1716 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1717 <span class="list-paths__item__arrow">›</span> 1718 github.com/expr-lang/expr@1.16.9 1719 <span class="list-paths__item__arrow">›</span> 1720 github.com/expr-lang/expr/patcher@1.16.9 1721 <span class="list-paths__item__arrow">›</span> 1722 github.com/expr-lang/expr/conf@1.16.9 1723 1724 </span> 1725 1726 </li> 1727 <li> 1728 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1729 github.com/argoproj/argo-cd/v3@0.0.0 1730 <span class="list-paths__item__arrow">›</span> 1731 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1732 <span class="list-paths__item__arrow">›</span> 1733 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1734 <span class="list-paths__item__arrow">›</span> 1735 github.com/expr-lang/expr@1.16.9 1736 <span class="list-paths__item__arrow">›</span> 1737 github.com/expr-lang/expr/patcher@1.16.9 1738 <span class="list-paths__item__arrow">›</span> 1739 github.com/expr-lang/expr/conf@1.16.9 1740 1741 </span> 1742 1743 </li> 1744 <li> 1745 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1746 github.com/argoproj/argo-cd/v3@0.0.0 1747 <span class="list-paths__item__arrow">›</span> 1748 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1749 <span class="list-paths__item__arrow">›</span> 1750 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1751 <span class="list-paths__item__arrow">›</span> 1752 github.com/expr-lang/expr@1.16.9 1753 <span class="list-paths__item__arrow">›</span> 1754 github.com/expr-lang/expr/compiler@1.16.9 1755 <span class="list-paths__item__arrow">›</span> 1756 github.com/expr-lang/expr/checker@1.16.9 1757 <span class="list-paths__item__arrow">›</span> 1758 github.com/expr-lang/expr/conf@1.16.9 1759 1760 </span> 1761 1762 </li> 1763 <li> 1764 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1765 github.com/argoproj/argo-cd/v3@0.0.0 1766 <span class="list-paths__item__arrow">›</span> 1767 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1768 <span class="list-paths__item__arrow">›</span> 1769 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1770 <span class="list-paths__item__arrow">›</span> 1771 github.com/expr-lang/expr@1.16.9 1772 <span class="list-paths__item__arrow">›</span> 1773 github.com/expr-lang/expr/compiler@1.16.9 1774 <span class="list-paths__item__arrow">›</span> 1775 github.com/expr-lang/expr/checker@1.16.9 1776 <span class="list-paths__item__arrow">›</span> 1777 github.com/expr-lang/expr/conf@1.16.9 1778 1779 </span> 1780 1781 </li> 1782 <li> 1783 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1784 github.com/argoproj/argo-cd/v3@0.0.0 1785 <span class="list-paths__item__arrow">›</span> 1786 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1787 <span class="list-paths__item__arrow">›</span> 1788 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1789 <span class="list-paths__item__arrow">›</span> 1790 github.com/expr-lang/expr@1.16.9 1791 <span class="list-paths__item__arrow">›</span> 1792 github.com/expr-lang/expr/compiler@1.16.9 1793 <span class="list-paths__item__arrow">›</span> 1794 github.com/expr-lang/expr/checker@1.16.9 1795 <span class="list-paths__item__arrow">›</span> 1796 github.com/expr-lang/expr/conf@1.16.9 1797 1798 </span> 1799 1800 </li> 1801 <li> 1802 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1803 github.com/argoproj/argo-cd/v3@0.0.0 1804 <span class="list-paths__item__arrow">›</span> 1805 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1806 <span class="list-paths__item__arrow">›</span> 1807 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1808 <span class="list-paths__item__arrow">›</span> 1809 github.com/expr-lang/expr@1.16.9 1810 <span class="list-paths__item__arrow">›</span> 1811 github.com/expr-lang/expr/compiler@1.16.9 1812 <span class="list-paths__item__arrow">›</span> 1813 github.com/expr-lang/expr/parser@1.16.9 1814 <span class="list-paths__item__arrow">›</span> 1815 github.com/expr-lang/expr/conf@1.16.9 1816 1817 </span> 1818 1819 </li> 1820 <li> 1821 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1822 github.com/argoproj/argo-cd/v3@0.0.0 1823 <span class="list-paths__item__arrow">›</span> 1824 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1825 <span class="list-paths__item__arrow">›</span> 1826 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1827 <span class="list-paths__item__arrow">›</span> 1828 github.com/expr-lang/expr@1.16.9 1829 <span class="list-paths__item__arrow">›</span> 1830 github.com/expr-lang/expr/compiler@1.16.9 1831 <span class="list-paths__item__arrow">›</span> 1832 github.com/expr-lang/expr/parser@1.16.9 1833 <span class="list-paths__item__arrow">›</span> 1834 github.com/expr-lang/expr/conf@1.16.9 1835 1836 </span> 1837 1838 </li> 1839 <li> 1840 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1841 github.com/argoproj/argo-cd/v3@0.0.0 1842 <span class="list-paths__item__arrow">›</span> 1843 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1844 <span class="list-paths__item__arrow">›</span> 1845 github.com/argoproj/notifications-engine/pkg/triggers@#87bf0576a872 1846 <span class="list-paths__item__arrow">›</span> 1847 github.com/expr-lang/expr@1.16.9 1848 <span class="list-paths__item__arrow">›</span> 1849 github.com/expr-lang/expr/compiler@1.16.9 1850 <span class="list-paths__item__arrow">›</span> 1851 github.com/expr-lang/expr/parser@1.16.9 1852 <span class="list-paths__item__arrow">›</span> 1853 github.com/expr-lang/expr/conf@1.16.9 1854 1855 </span> 1856 1857 </li> 1858 </ul><!-- .list-paths --> 1859 1860 </div><!-- .card__section --> 1861 1862 <hr/> 1863 <!-- Overview --> 1864 <h2 id="overview">Overview</h2> 1865 <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the <code>parseExpression()</code> function in <code>parser.go</code>, due to the unrestricted size of input strings, which can cause the generation of large Abstract Syntax Trees (ASTs). An attacker can crash the application by supplying excessively long deeply nested expression strings.</p> 1866 <h2 id="workaround">Workaround</h2> 1867 <p>This vulnerability can be avoided by checking and limiting the length of input expressions before parsing them.</p> 1868 <h2 id="remediation">Remediation</h2> 1869 <p>Upgrade <code>github.com/expr-lang/expr/conf</code> to version 1.17.0 or higher.</p> 1870 <h2 id="references">References</h2> 1871 <ul> 1872 <li><a href="https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e">GitHub Commit</a></li> 1873 <li><a href="https://github.com/expr-lang/expr/pull/762">GitHub PR</a></li> 1874 </ul> 1875 1876 <hr/> 1877 1878 <div class="cta card__cta"> 1879 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMEXPRLANGEXPRCONF-9460818">More about this vulnerability</a></p> 1880 </div> 1881 1882 </div><!-- .card --> 1883 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1884 <h2 class="card__title">MPL-2.0 license</h2> 1885 <div class="card__section"> 1886 1887 <div class="card__labels"> 1888 <div class="label label--medium"> 1889 <span class="label__text">medium severity</span> 1890 </div> 1891 </div> 1892 1893 <hr/> 1894 1895 <ul class="card__meta"> 1896 <li class="card__meta__item"> 1897 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 1898 </li> 1899 <li class="card__meta__item"> 1900 Package Manager: golang 1901 </li> 1902 <li class="card__meta__item"> 1903 Module: 1904 1905 github.com/r3labs/diff/v3 1906 </li> 1907 1908 <li class="card__meta__item">Introduced through: 1909 1910 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/r3labs/diff/v3@3.0.1 1911 1912 </li> 1913 </ul> 1914 1915 <hr/> 1916 1917 1918 <h3 class="card__section__title">Detailed paths</h3> 1919 1920 <ul class="card__meta__paths"> 1921 <li> 1922 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1923 github.com/argoproj/argo-cd/v3@0.0.0 1924 <span class="list-paths__item__arrow">›</span> 1925 github.com/r3labs/diff/v3@3.0.1 1926 1927 </span> 1928 1929 </li> 1930 </ul><!-- .list-paths --> 1931 1932 </div><!-- .card__section --> 1933 1934 <hr/> 1935 <!-- Overview --> 1936 <p>MPL-2.0 license</p> 1937 1938 <hr/> 1939 1940 <div class="cta card__cta"> 1941 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:v3:MPL-2.0">More about this vulnerability</a></p> 1942 </div> 1943 1944 </div><!-- .card --> 1945 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1946 <h2 class="card__title">MPL-2.0 license</h2> 1947 <div class="card__section"> 1948 1949 <div class="card__labels"> 1950 <div class="label label--medium"> 1951 <span class="label__text">medium severity</span> 1952 </div> 1953 </div> 1954 1955 <hr/> 1956 1957 <ul class="card__meta"> 1958 <li class="card__meta__item"> 1959 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 1960 </li> 1961 <li class="card__meta__item"> 1962 Package Manager: golang 1963 </li> 1964 <li class="card__meta__item"> 1965 Module: 1966 1967 github.com/hashicorp/go-version 1968 </li> 1969 1970 <li class="card__meta__item">Introduced through: 1971 1972 1973 github.com/argoproj/argo-cd/v3@0.0.0, code.gitea.io/sdk/gitea@0.20.0 and others 1974 </li> 1975 </ul> 1976 1977 <hr/> 1978 1979 1980 <h3 class="card__section__title">Detailed paths</h3> 1981 1982 <ul class="card__meta__paths"> 1983 <li> 1984 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1985 github.com/argoproj/argo-cd/v3@0.0.0 1986 <span class="list-paths__item__arrow">›</span> 1987 code.gitea.io/sdk/gitea@0.20.0 1988 <span class="list-paths__item__arrow">›</span> 1989 github.com/hashicorp/go-version@1.6.0 1990 1991 </span> 1992 1993 </li> 1994 </ul><!-- .list-paths --> 1995 1996 </div><!-- .card__section --> 1997 1998 <hr/> 1999 <!-- Overview --> 2000 <p>MPL-2.0 license</p> 2001 2002 <hr/> 2003 2004 <div class="cta card__cta"> 2005 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 2006 </div> 2007 2008 </div><!-- .card --> 2009 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2010 <h2 class="card__title">MPL-2.0 license</h2> 2011 <div class="card__section"> 2012 2013 <div class="card__labels"> 2014 <div class="label label--medium"> 2015 <span class="label__text">medium severity</span> 2016 </div> 2017 </div> 2018 2019 <hr/> 2020 2021 <ul class="card__meta"> 2022 <li class="card__meta__item"> 2023 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 2024 </li> 2025 <li class="card__meta__item"> 2026 Package Manager: golang 2027 </li> 2028 <li class="card__meta__item"> 2029 Module: 2030 2031 github.com/hashicorp/go-retryablehttp 2032 </li> 2033 2034 <li class="card__meta__item">Introduced through: 2035 2036 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.7 2037 2038 </li> 2039 </ul> 2040 2041 <hr/> 2042 2043 2044 <h3 class="card__section__title">Detailed paths</h3> 2045 2046 <ul class="card__meta__paths"> 2047 <li> 2048 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2049 github.com/argoproj/argo-cd/v3@0.0.0 2050 <span class="list-paths__item__arrow">›</span> 2051 github.com/hashicorp/go-retryablehttp@0.7.7 2052 2053 </span> 2054 2055 </li> 2056 <li> 2057 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2058 github.com/argoproj/argo-cd/v3@0.0.0 2059 <span class="list-paths__item__arrow">›</span> 2060 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2061 <span class="list-paths__item__arrow">›</span> 2062 github.com/hashicorp/go-retryablehttp@0.7.7 2063 2064 </span> 2065 2066 </li> 2067 <li> 2068 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2069 github.com/argoproj/argo-cd/v3@0.0.0 2070 <span class="list-paths__item__arrow">›</span> 2071 gitlab.com/gitlab-org/api/client-go@0.116.0 2072 <span class="list-paths__item__arrow">›</span> 2073 github.com/hashicorp/go-retryablehttp@0.7.7 2074 2075 </span> 2076 2077 </li> 2078 <li> 2079 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2080 github.com/argoproj/argo-cd/v3@0.0.0 2081 <span class="list-paths__item__arrow">›</span> 2082 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2083 <span class="list-paths__item__arrow">›</span> 2084 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2085 <span class="list-paths__item__arrow">›</span> 2086 github.com/hashicorp/go-retryablehttp@0.7.7 2087 2088 </span> 2089 2090 </li> 2091 <li> 2092 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2093 github.com/argoproj/argo-cd/v3@0.0.0 2094 <span class="list-paths__item__arrow">›</span> 2095 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 2096 <span class="list-paths__item__arrow">›</span> 2097 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2098 <span class="list-paths__item__arrow">›</span> 2099 github.com/hashicorp/go-retryablehttp@0.7.7 2100 2101 </span> 2102 2103 </li> 2104 <li> 2105 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2106 github.com/argoproj/argo-cd/v3@0.0.0 2107 <span class="list-paths__item__arrow">›</span> 2108 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2109 <span class="list-paths__item__arrow">›</span> 2110 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2111 <span class="list-paths__item__arrow">›</span> 2112 github.com/hashicorp/go-retryablehttp@0.7.7 2113 2114 </span> 2115 2116 </li> 2117 <li> 2118 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2119 github.com/argoproj/argo-cd/v3@0.0.0 2120 <span class="list-paths__item__arrow">›</span> 2121 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 2122 <span class="list-paths__item__arrow">›</span> 2123 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2124 <span class="list-paths__item__arrow">›</span> 2125 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2126 <span class="list-paths__item__arrow">›</span> 2127 github.com/hashicorp/go-retryablehttp@0.7.7 2128 2129 </span> 2130 2131 </li> 2132 <li> 2133 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2134 github.com/argoproj/argo-cd/v3@0.0.0 2135 <span class="list-paths__item__arrow">›</span> 2136 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 2137 <span class="list-paths__item__arrow">›</span> 2138 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2139 <span class="list-paths__item__arrow">›</span> 2140 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2141 <span class="list-paths__item__arrow">›</span> 2142 github.com/hashicorp/go-retryablehttp@0.7.7 2143 2144 </span> 2145 2146 </li> 2147 <li> 2148 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2149 github.com/argoproj/argo-cd/v3@0.0.0 2150 <span class="list-paths__item__arrow">›</span> 2151 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2152 <span class="list-paths__item__arrow">›</span> 2153 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2154 <span class="list-paths__item__arrow">›</span> 2155 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2156 <span class="list-paths__item__arrow">›</span> 2157 github.com/hashicorp/go-retryablehttp@0.7.7 2158 2159 </span> 2160 2161 </li> 2162 <li> 2163 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2164 github.com/argoproj/argo-cd/v3@0.0.0 2165 <span class="list-paths__item__arrow">›</span> 2166 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 2167 <span class="list-paths__item__arrow">›</span> 2168 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2169 <span class="list-paths__item__arrow">›</span> 2170 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2171 <span class="list-paths__item__arrow">›</span> 2172 github.com/hashicorp/go-retryablehttp@0.7.7 2173 2174 </span> 2175 2176 </li> 2177 <li> 2178 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2179 github.com/argoproj/argo-cd/v3@0.0.0 2180 <span class="list-paths__item__arrow">›</span> 2181 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 2182 <span class="list-paths__item__arrow">›</span> 2183 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2184 <span class="list-paths__item__arrow">›</span> 2185 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2186 <span class="list-paths__item__arrow">›</span> 2187 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2188 <span class="list-paths__item__arrow">›</span> 2189 github.com/hashicorp/go-retryablehttp@0.7.7 2190 2191 </span> 2192 2193 </li> 2194 <li> 2195 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2196 github.com/argoproj/argo-cd/v3@0.0.0 2197 <span class="list-paths__item__arrow">›</span> 2198 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 2199 <span class="list-paths__item__arrow">›</span> 2200 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2201 <span class="list-paths__item__arrow">›</span> 2202 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2203 <span class="list-paths__item__arrow">›</span> 2204 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2205 <span class="list-paths__item__arrow">›</span> 2206 github.com/hashicorp/go-retryablehttp@0.7.7 2207 2208 </span> 2209 2210 </li> 2211 </ul><!-- .list-paths --> 2212 2213 </div><!-- .card__section --> 2214 2215 <hr/> 2216 <!-- Overview --> 2217 <p>MPL-2.0 license</p> 2218 2219 <hr/> 2220 2221 <div class="cta card__cta"> 2222 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 2223 </div> 2224 2225 </div><!-- .card --> 2226 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2227 <h2 class="card__title">MPL-2.0 license</h2> 2228 <div class="card__section"> 2229 2230 <div class="card__labels"> 2231 <div class="label label--medium"> 2232 <span class="label__text">medium severity</span> 2233 </div> 2234 </div> 2235 2236 <hr/> 2237 2238 <ul class="card__meta"> 2239 <li class="card__meta__item"> 2240 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 2241 </li> 2242 <li class="card__meta__item"> 2243 Package Manager: golang 2244 </li> 2245 <li class="card__meta__item"> 2246 Module: 2247 2248 github.com/hashicorp/go-cleanhttp 2249 </li> 2250 2251 <li class="card__meta__item">Introduced through: 2252 2253 2254 github.com/argoproj/argo-cd/v3@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.7 and others 2255 </li> 2256 </ul> 2257 2258 <hr/> 2259 2260 2261 <h3 class="card__section__title">Detailed paths</h3> 2262 2263 <ul class="card__meta__paths"> 2264 <li> 2265 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2266 github.com/argoproj/argo-cd/v3@0.0.0 2267 <span class="list-paths__item__arrow">›</span> 2268 github.com/hashicorp/go-retryablehttp@0.7.7 2269 <span class="list-paths__item__arrow">›</span> 2270 github.com/hashicorp/go-cleanhttp@0.5.2 2271 2272 </span> 2273 2274 </li> 2275 <li> 2276 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2277 github.com/argoproj/argo-cd/v3@0.0.0 2278 <span class="list-paths__item__arrow">›</span> 2279 gitlab.com/gitlab-org/api/client-go@0.116.0 2280 <span class="list-paths__item__arrow">›</span> 2281 github.com/hashicorp/go-cleanhttp@0.5.2 2282 2283 </span> 2284 2285 </li> 2286 <li> 2287 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2288 github.com/argoproj/argo-cd/v3@0.0.0 2289 <span class="list-paths__item__arrow">›</span> 2290 gitlab.com/gitlab-org/api/client-go@0.116.0 2291 <span class="list-paths__item__arrow">›</span> 2292 github.com/hashicorp/go-retryablehttp@0.7.7 2293 <span class="list-paths__item__arrow">›</span> 2294 github.com/hashicorp/go-cleanhttp@0.5.2 2295 2296 </span> 2297 2298 </li> 2299 <li> 2300 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2301 github.com/argoproj/argo-cd/v3@0.0.0 2302 <span class="list-paths__item__arrow">›</span> 2303 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2304 <span class="list-paths__item__arrow">›</span> 2305 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2306 <span class="list-paths__item__arrow">›</span> 2307 github.com/hashicorp/go-retryablehttp@0.7.7 2308 <span class="list-paths__item__arrow">›</span> 2309 github.com/hashicorp/go-cleanhttp@0.5.2 2310 2311 </span> 2312 2313 </li> 2314 <li> 2315 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2316 github.com/argoproj/argo-cd/v3@0.0.0 2317 <span class="list-paths__item__arrow">›</span> 2318 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2319 <span class="list-paths__item__arrow">›</span> 2320 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2321 <span class="list-paths__item__arrow">›</span> 2322 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2323 <span class="list-paths__item__arrow">›</span> 2324 github.com/hashicorp/go-retryablehttp@0.7.7 2325 <span class="list-paths__item__arrow">›</span> 2326 github.com/hashicorp/go-cleanhttp@0.5.2 2327 2328 </span> 2329 2330 </li> 2331 <li> 2332 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2333 github.com/argoproj/argo-cd/v3@0.0.0 2334 <span class="list-paths__item__arrow">›</span> 2335 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 2336 <span class="list-paths__item__arrow">›</span> 2337 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2338 <span class="list-paths__item__arrow">›</span> 2339 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2340 <span class="list-paths__item__arrow">›</span> 2341 github.com/hashicorp/go-retryablehttp@0.7.7 2342 <span class="list-paths__item__arrow">›</span> 2343 github.com/hashicorp/go-cleanhttp@0.5.2 2344 2345 </span> 2346 2347 </li> 2348 <li> 2349 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2350 github.com/argoproj/argo-cd/v3@0.0.0 2351 <span class="list-paths__item__arrow">›</span> 2352 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 2353 <span class="list-paths__item__arrow">›</span> 2354 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2355 <span class="list-paths__item__arrow">›</span> 2356 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2357 <span class="list-paths__item__arrow">›</span> 2358 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2359 <span class="list-paths__item__arrow">›</span> 2360 github.com/hashicorp/go-retryablehttp@0.7.7 2361 <span class="list-paths__item__arrow">›</span> 2362 github.com/hashicorp/go-cleanhttp@0.5.2 2363 2364 </span> 2365 2366 </li> 2367 <li> 2368 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2369 github.com/argoproj/argo-cd/v3@0.0.0 2370 <span class="list-paths__item__arrow">›</span> 2371 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 2372 <span class="list-paths__item__arrow">›</span> 2373 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 2374 <span class="list-paths__item__arrow">›</span> 2375 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 2376 <span class="list-paths__item__arrow">›</span> 2377 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 2378 <span class="list-paths__item__arrow">›</span> 2379 github.com/hashicorp/go-retryablehttp@0.7.7 2380 <span class="list-paths__item__arrow">›</span> 2381 github.com/hashicorp/go-cleanhttp@0.5.2 2382 2383 </span> 2384 2385 </li> 2386 </ul><!-- .list-paths --> 2387 2388 </div><!-- .card__section --> 2389 2390 <hr/> 2391 <!-- Overview --> 2392 <p>MPL-2.0 license</p> 2393 2394 <hr/> 2395 2396 <div class="cta card__cta"> 2397 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 2398 </div> 2399 2400 </div><!-- .card --> 2401 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2402 <h2 class="card__title">MPL-2.0 license</h2> 2403 <div class="card__section"> 2404 2405 <div class="card__labels"> 2406 <div class="label label--medium"> 2407 <span class="label__text">medium severity</span> 2408 </div> 2409 </div> 2410 2411 <hr/> 2412 2413 <ul class="card__meta"> 2414 <li class="card__meta__item"> 2415 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 2416 </li> 2417 <li class="card__meta__item"> 2418 Package Manager: golang 2419 </li> 2420 <li class="card__meta__item"> 2421 Module: 2422 2423 github.com/gosimple/slug 2424 </li> 2425 2426 <li class="card__meta__item">Introduced through: 2427 2428 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/gosimple/slug@1.15.0 2429 2430 </li> 2431 </ul> 2432 2433 <hr/> 2434 2435 2436 <h3 class="card__section__title">Detailed paths</h3> 2437 2438 <ul class="card__meta__paths"> 2439 <li> 2440 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2441 github.com/argoproj/argo-cd/v3@0.0.0 2442 <span class="list-paths__item__arrow">›</span> 2443 github.com/gosimple/slug@1.15.0 2444 2445 </span> 2446 2447 </li> 2448 </ul><!-- .list-paths --> 2449 2450 </div><!-- .card__section --> 2451 2452 <hr/> 2453 <!-- Overview --> 2454 <p>MPL-2.0 license</p> 2455 2456 <hr/> 2457 2458 <div class="cta card__cta"> 2459 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 2460 </div> 2461 2462 </div><!-- .card --> 2463 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2464 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 2465 <div class="card__section"> 2466 2467 <div class="card__labels"> 2468 <div class="label label--medium"> 2469 <span class="label__text">medium severity</span> 2470 </div> 2471 </div> 2472 2473 <hr/> 2474 2475 <ul class="card__meta"> 2476 <li class="card__meta__item"> 2477 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 2478 </li> 2479 <li class="card__meta__item"> 2480 Package Manager: npm 2481 </li> 2482 <li class="card__meta__item"> 2483 Vulnerable module: 2484 2485 foundation-sites 2486 </li> 2487 2488 <li class="card__meta__item">Introduced through: 2489 2490 argo-cd-ui@1.0.0 and foundation-sites@6.8.1 2491 2492 </li> 2493 </ul> 2494 2495 <hr/> 2496 2497 2498 <h3 class="card__section__title">Detailed paths</h3> 2499 2500 <ul class="card__meta__paths"> 2501 <li> 2502 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2503 argo-cd-ui@1.0.0 2504 <span class="list-paths__item__arrow">›</span> 2505 foundation-sites@6.8.1 2506 2507 </span> 2508 2509 </li> 2510 <li> 2511 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2512 argo-cd-ui@1.0.0 2513 <span class="list-paths__item__arrow">›</span> 2514 argo-ui@1.0.0 2515 <span class="list-paths__item__arrow">›</span> 2516 foundation-sites@6.8.1 2517 2518 </span> 2519 2520 </li> 2521 </ul><!-- .list-paths --> 2522 2523 </div><!-- .card__section --> 2524 2525 <hr/> 2526 <!-- Overview --> 2527 <h2 id="overview">Overview</h2> 2528 <p><a href="https://github.com/zurb/foundation-sites">foundation-sites</a> is a responsive front-end framework</p> 2529 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.</p> 2530 <h2 id="poc">PoC</h2> 2531 <pre><code>https://www.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2532 </code></pre> 2533 <h2 id="details">Details</h2> 2534 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 2535 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 2536 <p>Let’s take the following regular expression as an example:</p> 2537 <pre><code class="language-js">regex = /A(B|C+)+D/ 2538 </code></pre> 2539 <p>This regular expression accomplishes the following:</p> 2540 <ul> 2541 <li><code>A</code> The string must start with the letter 'A'</li> 2542 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 2543 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 2544 </ul> 2545 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 2546 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 2547 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 2548 0.04s user 0.01s system 95% cpu 0.052 total 2549 2550 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 2551 1.79s user 0.02s system 99% cpu 1.812 total 2552 </code></pre> 2553 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 2554 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 2555 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 2556 <ol> 2557 <li>CCC</li> 2558 <li>CC+C</li> 2559 <li>C+CC</li> 2560 <li>C+C+C.</li> 2561 </ol> 2562 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 2563 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 2564 <table> 2565 <thead> 2566 <tr> 2567 <th>String</th> 2568 <th align="right">Number of C's</th> 2569 <th align="right">Number of steps</th> 2570 </tr> 2571 </thead> 2572 <tbody><tr> 2573 <td>ACCCX</td> 2574 <td align="right">3</td> 2575 <td align="right">38</td> 2576 </tr> 2577 <tr> 2578 <td>ACCCCX</td> 2579 <td align="right">4</td> 2580 <td align="right">71</td> 2581 </tr> 2582 <tr> 2583 <td>ACCCCCX</td> 2584 <td align="right">5</td> 2585 <td align="right">136</td> 2586 </tr> 2587 <tr> 2588 <td>ACCCCCCCCCCCCCCX</td> 2589 <td align="right">14</td> 2590 <td align="right">65,553</td> 2591 </tr> 2592 </tbody></table> 2593 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 2594 <h2 id="remediation">Remediation</h2> 2595 <p>There is no fixed version for <code>foundation-sites</code>.</p> 2596 <h2 id="references">References</h2> 2597 <ul> 2598 <li><a href="https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites">GitHub Advisory</a></li> 2599 <li><a href="https://github.com/foundation/foundation-sites/issues/12180">GitHub Issue</a></li> 2600 <li><a href="https://github.com/foundation/foundation-sites/blob/develop/js/foundation.abide.js#L864">Vulnerable Code</a></li> 2601 </ul> 2602 2603 <hr/> 2604 2605 <div class="cta card__cta"> 2606 <p><a href="https://snyk.io/vuln/SNYK-JS-FOUNDATIONSITES-8310364">More about this vulnerability</a></p> 2607 </div> 2608 2609 </div><!-- .card --> 2610 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 2611 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 2612 <div class="card__section"> 2613 2614 <div class="card__labels"> 2615 <div class="label label--medium"> 2616 <span class="label__text">medium severity</span> 2617 </div> 2618 </div> 2619 2620 <hr/> 2621 2622 <ul class="card__meta"> 2623 <li class="card__meta__item"> 2624 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 2625 </li> 2626 <li class="card__meta__item"> 2627 Package Manager: npm 2628 </li> 2629 <li class="card__meta__item"> 2630 Vulnerable module: 2631 2632 @babel/runtime 2633 </li> 2634 2635 <li class="card__meta__item">Introduced through: 2636 2637 2638 argo-cd-ui@1.0.0, history@4.10.1 and others 2639 </li> 2640 </ul> 2641 2642 <hr/> 2643 2644 2645 <h3 class="card__section__title">Detailed paths</h3> 2646 2647 <ul class="card__meta__paths"> 2648 <li> 2649 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2650 argo-cd-ui@1.0.0 2651 <span class="list-paths__item__arrow">›</span> 2652 history@4.10.1 2653 <span class="list-paths__item__arrow">›</span> 2654 @babel/runtime@7.14.6 2655 2656 </span> 2657 2658 </li> 2659 <li> 2660 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2661 argo-cd-ui@1.0.0 2662 <span class="list-paths__item__arrow">›</span> 2663 argo-ui@1.0.0 2664 <span class="list-paths__item__arrow">›</span> 2665 history@4.10.1 2666 <span class="list-paths__item__arrow">›</span> 2667 @babel/runtime@7.14.6 2668 2669 </span> 2670 2671 </li> 2672 <li> 2673 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2674 argo-cd-ui@1.0.0 2675 <span class="list-paths__item__arrow">›</span> 2676 react-router@4.3.1 2677 <span class="list-paths__item__arrow">›</span> 2678 history@4.10.1 2679 <span class="list-paths__item__arrow">›</span> 2680 @babel/runtime@7.14.6 2681 2682 </span> 2683 2684 </li> 2685 <li> 2686 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2687 argo-cd-ui@1.0.0 2688 <span class="list-paths__item__arrow">›</span> 2689 react-router-dom@4.3.1 2690 <span class="list-paths__item__arrow">›</span> 2691 history@4.10.1 2692 <span class="list-paths__item__arrow">›</span> 2693 @babel/runtime@7.14.6 2694 2695 </span> 2696 2697 </li> 2698 <li> 2699 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2700 argo-cd-ui@1.0.0 2701 <span class="list-paths__item__arrow">›</span> 2702 react-form@2.16.3 2703 <span class="list-paths__item__arrow">›</span> 2704 react-redux@5.1.2 2705 <span class="list-paths__item__arrow">›</span> 2706 @babel/runtime@7.14.6 2707 2708 </span> 2709 2710 </li> 2711 <li> 2712 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2713 argo-cd-ui@1.0.0 2714 <span class="list-paths__item__arrow">›</span> 2715 react-form@2.16.3 2716 <span class="list-paths__item__arrow">›</span> 2717 react-redux@5.1.2 2718 <span class="list-paths__item__arrow">›</span> 2719 @babel/runtime@7.14.6 2720 2721 </span> 2722 2723 </li> 2724 <li> 2725 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2726 argo-cd-ui@1.0.0 2727 <span class="list-paths__item__arrow">›</span> 2728 react-router-dom@4.3.1 2729 <span class="list-paths__item__arrow">›</span> 2730 react-router@4.3.1 2731 <span class="list-paths__item__arrow">›</span> 2732 history@4.10.1 2733 <span class="list-paths__item__arrow">›</span> 2734 @babel/runtime@7.14.6 2735 2736 </span> 2737 2738 </li> 2739 <li> 2740 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2741 argo-cd-ui@1.0.0 2742 <span class="list-paths__item__arrow">›</span> 2743 argo-ui@1.0.0 2744 <span class="list-paths__item__arrow">›</span> 2745 react-router-dom@4.3.1 2746 <span class="list-paths__item__arrow">›</span> 2747 history@4.10.1 2748 <span class="list-paths__item__arrow">›</span> 2749 @babel/runtime@7.14.6 2750 2751 </span> 2752 2753 </li> 2754 <li> 2755 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2756 argo-cd-ui@1.0.0 2757 <span class="list-paths__item__arrow">›</span> 2758 argo-ui@1.0.0 2759 <span class="list-paths__item__arrow">›</span> 2760 react-form@2.16.3 2761 <span class="list-paths__item__arrow">›</span> 2762 react-redux@5.1.2 2763 <span class="list-paths__item__arrow">›</span> 2764 @babel/runtime@7.14.6 2765 2766 </span> 2767 2768 </li> 2769 <li> 2770 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2771 argo-cd-ui@1.0.0 2772 <span class="list-paths__item__arrow">›</span> 2773 argo-ui@1.0.0 2774 <span class="list-paths__item__arrow">›</span> 2775 react-form@2.16.3 2776 <span class="list-paths__item__arrow">›</span> 2777 react-redux@5.1.2 2778 <span class="list-paths__item__arrow">›</span> 2779 @babel/runtime@7.14.6 2780 2781 </span> 2782 2783 </li> 2784 <li> 2785 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2786 argo-cd-ui@1.0.0 2787 <span class="list-paths__item__arrow">›</span> 2788 argo-ui@1.0.0 2789 <span class="list-paths__item__arrow">›</span> 2790 react-router-dom@4.3.1 2791 <span class="list-paths__item__arrow">›</span> 2792 react-router@4.3.1 2793 <span class="list-paths__item__arrow">›</span> 2794 history@4.10.1 2795 <span class="list-paths__item__arrow">›</span> 2796 @babel/runtime@7.14.6 2797 2798 </span> 2799 2800 </li> 2801 <li> 2802 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2803 argo-cd-ui@1.0.0 2804 <span class="list-paths__item__arrow">›</span> 2805 date-fns@2.30.0 2806 <span class="list-paths__item__arrow">›</span> 2807 @babel/runtime@7.21.5 2808 2809 </span> 2810 2811 </li> 2812 <li> 2813 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2814 argo-cd-ui@1.0.0 2815 <span class="list-paths__item__arrow">›</span> 2816 react-virtualized@9.22.3 2817 <span class="list-paths__item__arrow">›</span> 2818 @babel/runtime@7.20.13 2819 2820 </span> 2821 2822 </li> 2823 <li> 2824 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2825 argo-cd-ui@1.0.0 2826 <span class="list-paths__item__arrow">›</span> 2827 react-virtualized@9.22.3 2828 <span class="list-paths__item__arrow">›</span> 2829 dom-helpers@5.2.1 2830 <span class="list-paths__item__arrow">›</span> 2831 @babel/runtime@7.20.13 2832 2833 </span> 2834 2835 </li> 2836 <li> 2837 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2838 argo-cd-ui@1.0.0 2839 <span class="list-paths__item__arrow">›</span> 2840 redoc@2.0.0-rc.64 2841 <span class="list-paths__item__arrow">›</span> 2842 polished@4.1.4 2843 <span class="list-paths__item__arrow">›</span> 2844 @babel/runtime@7.17.2 2845 2846 </span> 2847 2848 </li> 2849 </ul><!-- .list-paths --> 2850 2851 </div><!-- .card__section --> 2852 2853 <hr/> 2854 <!-- Overview --> 2855 <h2 id="overview">Overview</h2> 2856 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>replace()</code> method in <code>wrapRegExp.js</code>. An attacker can cause degradation in performance by supplying input strings that exploit the quadratic complexity of the replacement algorithm. </p> 2857 <p>This is only exploitable when all of the following conditions are met: </p> 2858 <ol> 2859 <li><p>The code passes untrusted strings in the second argument to <code>.replace()</code>.</p> 2860 </li> 2861 <li><p>The compiled regular expressions being applied contain named capture groups.</p> 2862 </li> 2863 </ol> 2864 <p>In the case of <code>@babel/preset-env</code>, if the <code>targets</code> option is in use the application will be vulnerable under either of the following conditions:</p> 2865 <ol> 2866 <li><p>A browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10 is used when processing named capture groups.</p> 2867 </li> 2868 <li><p>A browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23 is used when processing duplicated named capture groups.</p> 2869 </li> 2870 </ol> 2871 <p><strong>Note:</strong> The project maintainers advise that "just updating your Babel dependencies is not enough: you will also need to re-compile your code."</p> 2872 <h2 id="workaround">Workaround</h2> 2873 <p> This vulnerability can be avoided by filtering out input containing a <code>$<</code> that is not followed by a <code>></code>.</p> 2874 <h2 id="details">Details</h2> 2875 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 2876 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 2877 <p>Let’s take the following regular expression as an example:</p> 2878 <pre><code class="language-js">regex = /A(B|C+)+D/ 2879 </code></pre> 2880 <p>This regular expression accomplishes the following:</p> 2881 <ul> 2882 <li><code>A</code> The string must start with the letter 'A'</li> 2883 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 2884 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 2885 </ul> 2886 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 2887 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 2888 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 2889 0.04s user 0.01s system 95% cpu 0.052 total 2890 2891 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 2892 1.79s user 0.02s system 99% cpu 1.812 total 2893 </code></pre> 2894 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 2895 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 2896 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 2897 <ol> 2898 <li>CCC</li> 2899 <li>CC+C</li> 2900 <li>C+CC</li> 2901 <li>C+C+C.</li> 2902 </ol> 2903 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 2904 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 2905 <table> 2906 <thead> 2907 <tr> 2908 <th>String</th> 2909 <th align="right">Number of C's</th> 2910 <th align="right">Number of steps</th> 2911 </tr> 2912 </thead> 2913 <tbody><tr> 2914 <td>ACCCX</td> 2915 <td align="right">3</td> 2916 <td align="right">38</td> 2917 </tr> 2918 <tr> 2919 <td>ACCCCX</td> 2920 <td align="right">4</td> 2921 <td align="right">71</td> 2922 </tr> 2923 <tr> 2924 <td>ACCCCCX</td> 2925 <td align="right">5</td> 2926 <td align="right">136</td> 2927 </tr> 2928 <tr> 2929 <td>ACCCCCCCCCCCCCCX</td> 2930 <td align="right">14</td> 2931 <td align="right">65,553</td> 2932 </tr> 2933 </tbody></table> 2934 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 2935 <h2 id="remediation">Remediation</h2> 2936 <p>Upgrade <code>@babel/runtime</code> to version 7.26.10, 8.0.0-alpha.17 or higher.</p> 2937 <h2 id="references">References</h2> 2938 <ul> 2939 <li><a href="https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4">GitHub Commit</a></li> 2940 <li><a href="https://gist.github.com/mmmsssttt404/1f066ed9237f514714f2cc022d631838">GitHub Gist</a></li> 2941 <li><a href="https://github.com/babel/babel/pull/17173">GitHub PR</a></li> 2942 </ul> 2943 2944 <hr/> 2945 2946 <div class="cta card__cta"> 2947 <p><a href="https://snyk.io/vuln/SNYK-JS-BABELRUNTIME-10044504">More about this vulnerability</a></p> 2948 </div> 2949 2950 </div><!-- .card --> 2951 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2952 <h2 class="card__title">Arbitrary Code Injection</h2> 2953 <div class="card__section"> 2954 2955 <div class="card__labels"> 2956 <div class="label label--low"> 2957 <span class="label__text">low severity</span> 2958 </div> 2959 </div> 2960 2961 <hr/> 2962 2963 <ul class="card__meta"> 2964 <li class="card__meta__item"> 2965 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 2966 </li> 2967 <li class="card__meta__item"> 2968 Package Manager: npm 2969 </li> 2970 <li class="card__meta__item"> 2971 Vulnerable module: 2972 2973 prismjs 2974 </li> 2975 2976 <li class="card__meta__item">Introduced through: 2977 2978 2979 argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others 2980 </li> 2981 </ul> 2982 2983 <hr/> 2984 2985 2986 <h3 class="card__section__title">Detailed paths</h3> 2987 2988 <ul class="card__meta__paths"> 2989 <li> 2990 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2991 argo-cd-ui@1.0.0 2992 <span class="list-paths__item__arrow">›</span> 2993 redoc@2.0.0-rc.64 2994 <span class="list-paths__item__arrow">›</span> 2995 prismjs@1.27.0 2996 2997 </span> 2998 2999 </li> 3000 </ul><!-- .list-paths --> 3001 3002 </div><!-- .card__section --> 3003 3004 <hr/> 3005 <!-- Overview --> 3006 <h2 id="overview">Overview</h2> 3007 <p><a href="http://prismjs.com/">prismjs</a> is a lightweight, robust, elegant syntax highlighting library.</p> 3008 <p>Affected versions of this package are vulnerable to Arbitrary Code Injection via the <code>document.currentScript</code> lookup process. An attacker can manipulate the web page content and execute unintended actions by injecting HTML elements that overshadow legitimate DOM elements.</p> 3009 <p><strong>Note:</strong></p> 3010 <p>This is only exploitable if the application accepts untrusted input containing HTML but not direct JavaScript.</p> 3011 <h2 id="remediation">Remediation</h2> 3012 <p>Upgrade <code>prismjs</code> to version 1.30.0 or higher.</p> 3013 <h2 id="references">References</h2> 3014 <ul> 3015 <li><a href="https://github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d">GitHub Commit</a></li> 3016 <li><a href="https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660">GitHub Gist</a></li> 3017 <li><a href="https://github.com/PrismJS/prism/pull/3863">GitHub PR</a></li> 3018 <li><a href="https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259">Vulnerable Code</a></li> 3019 </ul> 3020 3021 <hr/> 3022 3023 <div class="cta card__cta"> 3024 <p><a href="https://snyk.io/vuln/SNYK-JS-PRISMJS-9055448">More about this vulnerability</a></p> 3025 </div> 3026 3027 </div><!-- .card --> 3028 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3029 <h2 class="card__title">Insecure Randomness</h2> 3030 <div class="card__section"> 3031 3032 <div class="card__labels"> 3033 <div class="label label--low"> 3034 <span class="label__text">low severity</span> 3035 </div> 3036 </div> 3037 3038 <hr/> 3039 3040 <ul class="card__meta"> 3041 <li class="card__meta__item"> 3042 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 3043 </li> 3044 <li class="card__meta__item"> 3045 Package Manager: npm 3046 </li> 3047 <li class="card__meta__item"> 3048 Vulnerable module: 3049 3050 formidable 3051 </li> 3052 3053 <li class="card__meta__item">Introduced through: 3054 3055 3056 argo-cd-ui@1.0.0, superagent@8.1.2 and others 3057 </li> 3058 </ul> 3059 3060 <hr/> 3061 3062 3063 <h3 class="card__section__title">Detailed paths</h3> 3064 3065 <ul class="card__meta__paths"> 3066 <li> 3067 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3068 argo-cd-ui@1.0.0 3069 <span class="list-paths__item__arrow">›</span> 3070 superagent@8.1.2 3071 <span class="list-paths__item__arrow">›</span> 3072 formidable@2.1.2 3073 3074 </span> 3075 3076 </li> 3077 </ul><!-- .list-paths --> 3078 3079 </div><!-- .card__section --> 3080 3081 <hr/> 3082 <!-- Overview --> 3083 <h2 id="overview">Overview</h2> 3084 <p>Affected versions of this package are vulnerable to Insecure Randomness due to its use of the <code>hexoid()</code> function in the generation of fingerprint IDs.</p> 3085 <h2 id="remediation">Remediation</h2> 3086 <p>Upgrade <code>formidable</code> to version 2.1.3, 3.5.3 or higher.</p> 3087 <h2 id="references">References</h2> 3088 <ul> 3089 <li><a href="https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5">GitHub Commit</a></li> 3090 <li><a href="https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md">Vulnerability Report</a></li> 3091 </ul> 3092 3093 <hr/> 3094 3095 <div class="cta card__cta"> 3096 <p><a href="https://snyk.io/vuln/SNYK-JS-FORMIDABLE-9788127">More about this vulnerability</a></p> 3097 </div> 3098 3099 </div><!-- .card --> 3100 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3101 <h2 class="card__title">Cross-site Scripting (XSS)</h2> 3102 <div class="card__section"> 3103 3104 <div class="card__labels"> 3105 <div class="label label--low"> 3106 <span class="label__text">low severity</span> 3107 </div> 3108 </div> 3109 3110 <hr/> 3111 3112 <ul class="card__meta"> 3113 <li class="card__meta__item"> 3114 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 3115 </li> 3116 <li class="card__meta__item"> 3117 Package Manager: npm 3118 </li> 3119 <li class="card__meta__item"> 3120 Vulnerable module: 3121 3122 dompurify 3123 </li> 3124 3125 <li class="card__meta__item">Introduced through: 3126 3127 3128 argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others 3129 </li> 3130 </ul> 3131 3132 <hr/> 3133 3134 3135 <h3 class="card__section__title">Detailed paths</h3> 3136 3137 <ul class="card__meta__paths"> 3138 <li> 3139 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3140 argo-cd-ui@1.0.0 3141 <span class="list-paths__item__arrow">›</span> 3142 redoc@2.0.0-rc.64 3143 <span class="list-paths__item__arrow">›</span> 3144 dompurify@2.5.6 3145 3146 </span> 3147 3148 </li> 3149 </ul><!-- .list-paths --> 3150 3151 </div><!-- .card__section --> 3152 3153 <hr/> 3154 <!-- Overview --> 3155 <h2 id="overview">Overview</h2> 3156 <p><a href="https://github.com/cure53/DOMPurify">dompurify</a> is a DOM-only XSS sanitizer for HTML, MathML and SVG.</p> 3157 <p>Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to incorrect handling of template literals in regular expressions. An attacker can manipulate the output of the script by injecting malicious payloads that bypass the <code>dompurify</code> sanitization.</p> 3158 <h2 id="poc">PoC</h2> 3159 <pre><code class="language-js">DOMPurify.sanitize( 3160 `<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a> 3161 <style> 3162 <! \${ 3163 </style> 3164 } 3165 <foo-b id="><img src onerror='alert(1)'>">hmm...</foo-b> 3166 </a></table></li></mi></foo-test></math> 3167 `, 3168 { 3169 SAFE_FOR_TEMPLATES: true, 3170 CUSTOM_ELEMENT_HANDLING: { 3171 tagNameCheck: /^foo-/, 3172 }, 3173 } 3174 ); 3175 </code></pre> 3176 <h2 id="details">Details</h2> 3177 <p>Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.</p> 3178 <p>This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.</p> 3179 <p>Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.</p> 3180 <p>Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, <code><</code> can be coded as <code>&lt</code>; and <code>></code> can be coded as <code>&gt</code>; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses <code><</code> and <code>></code> as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.</p> 3181 <p>The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. </p> 3182 <h3 id="types-of-attacks">Types of attacks</h3> 3183 <p>There are a few methods by which XSS can be manipulated:</p> 3184 <table> 3185 <thead> 3186 <tr> 3187 <th>Type</th> 3188 <th>Origin</th> 3189 <th>Description</th> 3190 </tr> 3191 </thead> 3192 <tbody><tr> 3193 <td><strong>Stored</strong></td> 3194 <td>Server</td> 3195 <td>The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.</td> 3196 </tr> 3197 <tr> 3198 <td><strong>Reflected</strong></td> 3199 <td>Server</td> 3200 <td>The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.</td> 3201 </tr> 3202 <tr> 3203 <td><strong>DOM-based</strong></td> 3204 <td>Client</td> 3205 <td>The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.</td> 3206 </tr> 3207 <tr> 3208 <td><strong>Mutated</strong></td> 3209 <td></td> 3210 <td>The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.</td> 3211 </tr> 3212 </tbody></table> 3213 <h3 id="affected-environments">Affected environments</h3> 3214 <p>The following environments are susceptible to an XSS attack:</p> 3215 <ul> 3216 <li>Web servers</li> 3217 <li>Application servers</li> 3218 <li>Web application environments</li> 3219 </ul> 3220 <h3 id="how-to-prevent">How to prevent</h3> 3221 <p>This section describes the top best practices designed to specifically protect your code: </p> 3222 <ul> 3223 <li>Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. </li> 3224 <li>Convert special characters such as <code>?</code>, <code>&</code>, <code>/</code>, <code><</code>, <code>></code> and spaces to their respective HTML or URL encoded equivalents. </li> 3225 <li>Give users the option to disable client-side scripts.</li> 3226 <li>Redirect invalid requests.</li> 3227 <li>Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.</li> 3228 <li>Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.</li> 3229 <li>Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.</li> 3230 </ul> 3231 <h2 id="remediation">Remediation</h2> 3232 <p>Upgrade <code>dompurify</code> to version 3.2.4 or higher.</p> 3233 <h2 id="references">References</h2> 3234 <ul> 3235 <li><a href="https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02">GitHub Commit</a></li> 3236 <li><a href="https://github.com/cure53/DOMPurify/releases/tag/3.2.4">GitHub Release</a></li> 3237 <li><a href="https://ensy.zip/posts/dompurify-323-bypass/">Vulnerability Report</a></li> 3238 </ul> 3239 3240 <hr/> 3241 3242 <div class="cta card__cta"> 3243 <p><a href="https://snyk.io/vuln/SNYK-JS-DOMPURIFY-8722251">More about this vulnerability</a></p> 3244 </div> 3245 3246 </div><!-- .card --> 3247 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3248 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 3249 <div class="card__section"> 3250 3251 <div class="card__labels"> 3252 <div class="label label--low"> 3253 <span class="label__text">low severity</span> 3254 </div> 3255 </div> 3256 3257 <hr/> 3258 3259 <ul class="card__meta"> 3260 <li class="card__meta__item"> 3261 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 3262 </li> 3263 <li class="card__meta__item"> 3264 Package Manager: npm 3265 </li> 3266 <li class="card__meta__item"> 3267 Vulnerable module: 3268 3269 brace-expansion 3270 </li> 3271 3272 <li class="card__meta__item">Introduced through: 3273 3274 3275 argo-cd-ui@1.0.0, minimatch@3.1.2 and others 3276 </li> 3277 </ul> 3278 3279 <hr/> 3280 3281 3282 <h3 class="card__section__title">Detailed paths</h3> 3283 3284 <ul class="card__meta__paths"> 3285 <li> 3286 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3287 argo-cd-ui@1.0.0 3288 <span class="list-paths__item__arrow">›</span> 3289 minimatch@3.1.2 3290 <span class="list-paths__item__arrow">›</span> 3291 brace-expansion@1.1.11 3292 3293 </span> 3294 3295 </li> 3296 <li> 3297 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3298 argo-cd-ui@1.0.0 3299 <span class="list-paths__item__arrow">›</span> 3300 redoc@2.0.0-rc.64 3301 <span class="list-paths__item__arrow">›</span> 3302 @redocly/openapi-core@1.0.0-beta.82 3303 <span class="list-paths__item__arrow">›</span> 3304 minimatch@3.1.2 3305 <span class="list-paths__item__arrow">›</span> 3306 brace-expansion@1.1.11 3307 3308 </span> 3309 3310 </li> 3311 </ul><!-- .list-paths --> 3312 3313 </div><!-- .card__section --> 3314 3315 <hr/> 3316 <!-- Overview --> 3317 <h2 id="overview">Overview</h2> 3318 <p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p> 3319 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>expand()</code> function, which is prone to catastrophic backtracking on very long malicious inputs.</p> 3320 <h2 id="poc">PoC</h2> 3321 <pre><code class="language-js">import index from "./index.js"; 3322 3323 let str = "{a}" + ",".repeat(100000) + "\u0000"; 3324 3325 let startTime = performance.now(); 3326 3327 const result = index(str); 3328 3329 let endTime = performance.now(); 3330 3331 let timeTaken = endTime - startTime; 3332 3333 console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`); 3334 </code></pre> 3335 <h2 id="details">Details</h2> 3336 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 3337 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 3338 <p>Let’s take the following regular expression as an example:</p> 3339 <pre><code class="language-js">regex = /A(B|C+)+D/ 3340 </code></pre> 3341 <p>This regular expression accomplishes the following:</p> 3342 <ul> 3343 <li><code>A</code> The string must start with the letter 'A'</li> 3344 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 3345 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 3346 </ul> 3347 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 3348 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 3349 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 3350 0.04s user 0.01s system 95% cpu 0.052 total 3351 3352 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 3353 1.79s user 0.02s system 99% cpu 1.812 total 3354 </code></pre> 3355 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 3356 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 3357 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 3358 <ol> 3359 <li>CCC</li> 3360 <li>CC+C</li> 3361 <li>C+CC</li> 3362 <li>C+C+C.</li> 3363 </ol> 3364 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 3365 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 3366 <table> 3367 <thead> 3368 <tr> 3369 <th>String</th> 3370 <th align="right">Number of C's</th> 3371 <th align="right">Number of steps</th> 3372 </tr> 3373 </thead> 3374 <tbody><tr> 3375 <td>ACCCX</td> 3376 <td align="right">3</td> 3377 <td align="right">38</td> 3378 </tr> 3379 <tr> 3380 <td>ACCCCX</td> 3381 <td align="right">4</td> 3382 <td align="right">71</td> 3383 </tr> 3384 <tr> 3385 <td>ACCCCCX</td> 3386 <td align="right">5</td> 3387 <td align="right">136</td> 3388 </tr> 3389 <tr> 3390 <td>ACCCCCCCCCCCCCCX</td> 3391 <td align="right">14</td> 3392 <td align="right">65,553</td> 3393 </tr> 3394 </tbody></table> 3395 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 3396 <h2 id="remediation">Remediation</h2> 3397 <p>Upgrade <code>brace-expansion</code> to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.</p> 3398 <h2 id="references">References</h2> 3399 <ul> 3400 <li><a href="https://github.com/advisories/GHSA-v6h2-p8h4-qcjw">GitHub Advisory</a></li> 3401 <li><a href="https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2">GitHub Commit</a></li> 3402 <li><a href="https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466">GitHub Gist</a></li> 3403 <li><a href="https://github.com/juliangruber/brace-expansion/pull/65">GitHub PR</a></li> 3404 </ul> 3405 3406 <hr/> 3407 3408 <div class="cta card__cta"> 3409 <p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073">More about this vulnerability</a></p> 3410 </div> 3411 3412 </div><!-- .card --> 3413 </div><!-- cards --> 3414 </div> 3415 </main><!-- .layout-stacked__content --> 3416 </body> 3417 3418 </html>