guidone/node-red-contrib-chatbot

Snyk vulnerabilities

girishghoda opened this issue · 1 comments

girishghoda commented

Title

Snyk vulnerabilities

Description

  • There are multiple Snyk vulnerabilities in dependencies used in Chatbot.Listed below

  • Critical

    • sequelize(SQL Injection): Introduced through: node-red-contrib-chatbot › chat-platform@2.1.4 › sequelize@5.22.5

  • High

    • ansi-regex(Regular Expression Denial of Service (ReDoS)): Introduced through: node-red-contrib-chatbot > chat-platform@2.1.4 › cli-color@1.4.0 › ansi-regex@2.1.1
    • sequelize(Improper Filtering of Special Elements): Introduced through: node-red-contrib-chatbot › chat-platform@2.1.4 › sequelize@5.22.5
    • sequelize(SQL Injection): Introduced through: node-red-contrib-chatbot › chat-platform@2.1.4 › sequelize@5.22.5
    • async(Prototype Pollution) : Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › async@2.6.0
    • mquery(Prototype Pollution): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › mquery@2.3.3
    • qs(Prototype Poisoning): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › express@2.5.11 › qs@0.4.2
    • qs(Denial of Service): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › express@2.5.11 › qs@0.4.2
    • qs (Prototype Override Protection Bypass): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › express@2.5.11 › qs@0.4.2
    • mongoose(Prototype Pollution): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21
    • bson(Internal Property Tampering): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › bson@1.0.9
    • bson(Internal Property Tampering): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › mongodb@2.2.34 › mongodb-core@2.1.18 › bson@1.0.9
    • mongodb(Denial of Service): Introduced through: node-red-contrib-chatbot › express-sessions@1.0.6 › mongoose@4.13.21 › mongodb@2.2.34

Some other info

express-sessions NPM was last updated 7 years ago and most of the vulnerabilities introduced from this dependency

levpachmanov commented

Hey @girishghoda,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an bson@1.0.9-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app - it's free to use for open-source projects!.

Please feel free to reach us at info@seal.security if you have any requests/questions.