Cannot run `fiori run` commands on Windows due to CVE-2024-27980 (child_process.spawn and child_process.spawnSync)

Question

Cannot run `fiori run` commands on Windows due to CVE-2024-27980 (child_process.spawn and child_process.spawnSync)

GuillaumedesPommareSAP opened this issue 4 months ago · 2 comments

GuillaumedesPommareSAP commented 4 months ago

Expected Behavior

npm run start-mock serves resources

Current Behavior

Command run failed with error : spawn EINVAL

Steps to Reproduce the Issue

Just run any UI5 FE project using Node having the CVE fixed (18.x, 20.x, 21.x are affected)

https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

Context

ui5 --version 3.9.1
node --version v20.12.2
npm --version 10.5.0
OS Name: Microsoft Windows 11 Enterprise
OS Version: 10.0.22631 N/A Build 22631

Answer 1 · 2024-04-24T15:45:33.000Z

Workaround (discouraged !):
in node_modules\.bin\fiori.cmd
add --security-revert=CVE-2024-27980
like so : endLocal & goto #_undefined_# 2>NUL || title %COMSPEC% & "%_prog%" --security-revert=CVE-2024-27980 "%dp0%\..\@sap\ux-ui5-tooling\bin\fiori" %*

Answer 2 · 2024-04-25T06:35:16.000Z

Dear @GuillaumedesPommareSAP,

Thank you for reporting the issue, however this seems to be something not related directly to UI5 Tooling.
Please report the issue to the correct repository or internal support system.

Best Regards