Potential vulnerability introduced in idtoken-verifier

Question

Potential vulnerability introduced in idtoken-verifier

vincentsum777 opened this issue 4 years ago · 1 comments

Hi, @stevehobbsdev, there is a high severity vulnerability introduced by package crypto-js:

Issue Description

I noticed that a vulnerability is introduced in idtoken-verifier@2.2.0:
Vulnerability SNYK-JS-CRYPTOJS-548472 (high severity) affects package crypto-js (versions:<3.2.1,>=3.3.0 <4.0.0): https://snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
The above vulnerable package is referenced by idtoken-verifier@2.2.0 via:
idtoken-verifier@2.2.0 ➔ crypto-js@3.3.0

Since idtoken-verifier@2.2.0 (51,599 downloads per week) is referenced by 257 downstream projects (e.g., auth0-js 9.16.2 (latest version), auth0-lock 11.30.4 (latest version), @ctx-core/auth0 25.0.44 (latest version), @ctx-core/auth0-ui 10.0.50 (latest version)), the vulnerability SNYK-JS-CRYPTOJS-548472 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths:
(1)8base-react-sdk@2.2.0 ➔ @8base-react/app-provider@2.2.0 ➔ @8base-react/auth@2.2.0 ➔ @8base/auth@2.2.0 ➔ @8base/web-auth0-auth-client@2.2.0 ➔ auth0-js@9.16.2 ➔ idtoken-verifier@2.2.0 ➔ crypto-js@3.3.0
(2)@al/responder@1.0.59 ➔ @al/core@1.0.138 ➔ auth0-js@9.16.2 ➔ idtoken-verifier@2.2.0 ➔ crypto-js@3.3.0
(3)@corva/ui@0.11.0 ➔ auth0-js@9.16.2 ➔ idtoken-verifier@2.2.0 ➔ crypto-js@3.3.0
......

If idtoken-verifier removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.

Given the large number of downstream users, could you help update your package to remove the vulnerability from idtoken-verifier@2.2.0 ?

Fixing suggestions

In idtoken-verifier@2.2.1, you can kindly perform the following upgrade :
crypto-js 3.3.0 ➔ 4.0.0;

Note:
crypto-js@4.0.0(>=4.0.0) has fixed the vulnerability (SNYK-JS-CRYPTOJS-548472)
Of course, you are welcome to share other ways to resolve the issue.

Thank you for your attention to this issue. ^_^

Answer 1 · 2021-08-06T11:04:33.000Z

Thanks @vincentsum777, we're aware of the issue and have tried to take steps to resolve it. Unfortunately the upgrade is incompatible with some upstream packages and requires further investigation and work to resolve.

However, we determined that we don't use any of the API that the vulnerability concerns so this can safely be ignored for a time by your scanners. We appreciate that this is setting off some scanners unnecessarily though and are working on a fix.