Lucene search

K
githubGitHub Advisory DatabaseGHSA-F7XJ-RG7H-MC87
HistoryJul 07, 2023 - 8:32 p.m.

Stylelint has vulnerability in semver dependency

2023-07-0720:32:55
GitHub Advisory Database
github.com
62
stylelint
vulnerability
semver
update
meow
cli
dependency
dev tool

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

51.1%

Summary

Our meow dependency (which we use for our CLI) depended on [email protected] . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped

I found that [email protected] contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can’t update meow to the new major version because your package doesn’t allow it."

Update your package to use the ‘meow’ version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.


⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project’s dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ [email protected]
  └─┬ [email protected]
    ├─┬ [email protected]
    │ └── [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]

Affected configurations

Vulners
Node
stylelintRange8.0.0
OR
stylelintRange<15.10.1
CPENameOperatorVersion
stylelintge8.0.0
stylelintlt15.10.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

51.1%