Vulnerability in the library
rpodwika opened this issue · 6 comments
https://www.mend.io/vulnerability-database/CVE-2022-25883
-> aws-xray-sdk-3.5.0.tgz (Root Library)
-> aws-xray-sdk-core-3.5.0.tgz
-> cls-hooked-4.2.2.tgz
-> ❌ semver-5.7.1.tgz (Vulnerable Library)
Hello. Are you planning to fix this? Any workaround I can use in the meantime?. Thanks
Hi @rpodwika and @jhonnycordova, thanks for raising this issue
Do you mind clarifying where v5.7.1 is being brought in? I see semver v7.3.8 in the aws-xray-sdk-core package dependencies and semver v6.3.0 being pulled in from cls-hooked
PR #598 fixes the core package version, but the version being pulled in from cls-hooked is a transitive dependency
The cls-hooked package on the master branch does indeed have semver v6.3.0, but the v4.2.2 tag has semver v5.4.1. I'm not sure where 5.7.1 is coming from. In any event, the vulnerability described in the link above affects any version of semver prior to 7.5.2, so even installing from master will not resolve the problem.
The version from cls-hooked may be transitive, but it is enough to cause npm audit to complain.
I am seeing this vulnerability flagged for any version of semver < 7.5.2:
https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
The paths given where it is introduced through are:
aws-xray-sdk-core@3.5.0 > cls-hooked@4.2.2 > semver@5.7.1
aws-xray-sdk@3.5.0 > aws-xray-sdk-core@3.5.0 > cls-hooked@4.2.2 > semver@5.7.1
Note that this is flagged as a high severity vulnerability.
Hi all, thank you for your responses! We are actively working on a fix
Node SDK v3.5.1, which includes the fix for this security vulnerability, has been released
https://github.com/aws/aws-xray-sdk-node/releases/tag/aws-xray-sdk-node%403.5.1