Regular Expression Denial of Service vulnerability in the browserslist and glob-parent.

1
open
chiragmaniyar7
chiragmaniyar7
Posted 1 month ago

Regular Expression Denial of Service vulnerability in the browserslist and glob-parent. #11545

There is a Regular Expression Denial of Service vulnerability in the browserslist and glob-parent dependency.

Here is what npm audit security report looks like:

                            === npm audit security report ===
                            
                                                Manual Review
                            Some vulnerabilities require your attention to resolve
                            
                            Visit https://go.npm.me/audit-guide for additional guidance
                            Moderate Regular Expression Denial of Service
                            
                            Package browserslist
                            
                            Patched in >=4.16.5
                            
                            Dependency of react-scripts
                            
                            Path react-scripts > react-dev-utils > browserslist
                            
                            More info https://npmjs.com/advisories/1747
                            
                            Moderate Regular expression denial of service
                            
                            Package glob-parent
                            
                            Patched in >=5.1.2
                            
                            Dependency of react-scripts
                            
                            Path react-scripts > webpack > watchpack > watchpack-chokidar2 >
                            chokidar > glob-parent
                            
                            More info https://npmjs.com/advisories/1751
                            
                            Moderate Regular expression denial of service
                            
                            Package glob-parent
                            
                            Patched in >=5.1.2
                            
                            Dependency of react-scripts
                            
                            Path react-scripts > webpack-dev-server > chokidar > glob-parent
                            
                            More info https://npmjs.com/advisories/1751
                            
                            found 3 moderate severity vulnerabilities in 2498 scanned packages
                            3 vulnerabilities require manual review. See the full report for details.

This is the dependency tree:

1. devDependencies: react-scripts > react-dev-utils > browserslist
2. devDependencies: react-scripts > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent
3. devDependencies: react-scripts > webpack-dev-server > chokidar > glob-parent

The vulnerability has been fixed in browserslist version >= 4.16.5 (current version in react-scripts: 4.14.2) The vulnerability has been fixed in glob-parent version > 5.1.2 (current version in react-scripts: 5.1.2)

Also, could you please let us know the ETAs planned for these vulnerabilities getting fixed in react-scripts version?

ZuBB
ZuBB
Created 1 month ago

also

react-scripts > webpack-dev-server > ansi-html 

details here – https://github.com/webpack/webpack-dev-server/pull/3801