reduxjs/redux

Bitmedic Pro find CVE-2016-720 exploit in Redux.

argaurav opened this issue · 2 comments

Prior Issues

Are there any existing issues or PRs that relate to this problem? If so, link them here.

I couldn't find any issue mentioning this exploit.

What is the current behavior?

When we do an anti-virus scan with Redux in a javascript file. Bitmedic complains about presence of an exploit.

image

Just installing the redux in a folder results in Bitmedic detecting these exploits.

What does Redux do right now.

It would be good to not get these exploits when users scan our code using Bitmedic.

Steps to Reproduce

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem via https://codesandbox.io or similar.

  1. Install redux in a folder.
  2. Use Bitmedic Pro to scan that folder.
  3. We should have Bitmedic complain about these exploits.

What is the expected behavior?

What should Redux be doing?

Environment Details

Which versions of Redux, and which browser and OS are affected by this issue? Did this work in previous versions of Redux?
Tested on latest version of Redux

{
  "dependencies": {
    "@reduxjs/toolkit": "^1.9.5",
    "react-redux": "^8.1.1"
  }
}

That's not a valid CVE id, it needs to have one more character to make any sense.

That said, it's highly unlikely that there is really a CVE from 2016 in this package, and it's far more likely your virus scanner has a false positive.

PS: I just checked, all CVEs CVE-2016-7200 to CVE-2016-7209 have to do with Microsoft Edge, with the old engine they stopped using a few years ago. Even if this were in there (it isn't), it would be irrelevant in the year 2023.

That antivirus software support site has four FAQ entries and no way of reporting false positives.
That should be the minimum an antivirus company provides.

To be honest at this point I'm not sure if that is a reliable working Antivirus Software.