Update "async": Security vulnerability, prototype pollution

Question

Update "async": Security vulnerability, prototype pollution

klassm opened this issue 3 years ago · 14 comments

Hi there,

there is a security vulnerability in the old async version, which is currently in use (GHSA-fwr7-v2mv-hh25). Would id be possible to update async to the latest version? This is a jump however from 0.9.x to 3.x.

Thanks
Matthias

Answer 1 · 2022-04-13T10:09:00.000Z

https://github.ibm.com/advisories/GHSA-fwr7-v2mv-hh25
high severity
Vulnerable versions: < 3.2.2
Patched version: 3.2.2
A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

Answer 2 · 2022-04-13T10:29:04.000Z

fix waiting to be merged at #409

Answer 3 · 2022-04-14T05:05:49.000Z

subscribed so I can update ejs when its merged

Answer 4 · 2022-04-14T11:51:08.000Z

Fixed with #411!
@mde can we get a new release please?

Answer 5 · 2022-04-14T16:10:26.000Z

We too are waiting for the release with fix of #411 to be available.

Answer 6 · 2022-04-15T11:05:00.000Z

Can't wait to upgrade to new release version with the fix of #411

Answer 7 · 2022-04-19T07:10:58.000Z

Waiting for the fix of #411 to be released

Answer 8 · 2022-04-19T14:35:47.000Z

Hopefully this will be released! #412 cc @mde

Answer 9 · 2022-04-19T15:58:07.000Z

Waiting for the async audit fix urgently, our production deployment is blocked because of this. Request to kindly expedite.

Answer 10 · 2022-04-19T16:41:11.000Z

@shreya410 I share your sense of urgency, but I'm not sure that requesting that the work be expedited is what's needed here. Instead it's a good time to reflect on the fact that so many talented people are choosing to devote their time to produce this useful software and make it freely available to the world. It might be possible to expedite it if more people provided funding to support that development, though.

Answer 11 · 2022-04-19T17:45:37.000Z

Absolutely! I deeply appreciate everyone's contributions here. Apologies if this sounded ungrateful.

Answer 12 · 2022-04-20T00:35:35.000Z

Apologies for the delay on this. Pushed to NPM, v10.8.5.

Re. funding, the the suggestions are appreciated, but I have a hard time imagining how donations for a project like this would pay anything resembling a full-time developer's salary.

Again, apologies for the delay pushing this out. I'll do my best to be a little more on top of these arbitrary bumps that are required to satisfy automated security audits.

And a quick reminder, I will delete posts on threads that I consider needlessly belligerent.

Answer 13 · 2022-04-25T17:53:24.000Z

Same here,
Getting

async <2.6.4
Severity: high
Prototype Pollution in async - GHSA-fwr7-v2mv-hh25
fix available via npm audit fix --force
Will install prompt@0.1.7, which is a breaking change
node_modules/winston/node_modules/async
winston 0.4.0 - 3.0.0-rc6
Depends on vulnerable versions of async
node_modules/winston
prompt >=0.1.8
Depends on vulnerable versions of winston
node_modules/prompt

3 high severity vulnerabilities

Answer 14 · 2022-04-25T18:09:07.000Z

This has been fixed. You need to update Jake.