Lucene search

K
osvGoogleOSV:GHSA-F7XJ-RG7H-MC87
HistoryJul 07, 2023 - 8:32 p.m.

Stylelint has vulnerability in semver dependency

2023-07-0720:32:55
Google
osv.dev
12
stylelint
semver vulnerability
npm audit fix

EPSS

0.001

Percentile

51.1%

Summary

Our meow dependency (which we use for our CLI) depended on [email protected] . A vulnerability in this version of semver was recently identified and surfaced by npm audit:

Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Details

Original post by the reporter:

"my npm audit show the report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available

And my dependencies tree for semver show your package

├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped

I found that [email protected] contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can’t update meow to the new major version because your package doesn’t allow it."

Update your package to use the ‘meow’ version >=10"

PoC

N/A

Impact

We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.


⬇️ EDITED AFTER PUBLISHED ⬇️

Security fix backported to older semver versions

The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.

So, you can fix this vulnerability by just updating semver in your project’s dependency tree, instead of updating stylelint. For details, see the example:

package.json:

{
  "dependencies": {
    "stylelint": "15.10.0"
  }
}

Run npm audit (here is no alert for semver):

$ npm ci
...

$ npm audit
...
stylelint  8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/stylelint

1 low severity vulnerability
...

$ npm ls semver
...
└─┬ [email protected]
  └─┬ [email protected]
    ├─┬ [email protected]
    │ └── [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]