Skip to content

Commit

Permalink
fix(security): upgrade http-proxy-middleware to >=2.0.7 to mitigate DoS
Browse files Browse the repository at this point in the history
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and
 before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection
 error thrown by micromatch. An attacker could kill the Node.js process
 and crash the server by making requests to certain paths.

CVE ID
CVE-2024-21536

GHSA ID
GHSA-c7qv-q95q-8v27

https://github.com/hyperledger-cacti/cacti/security/dependabot/1323

Fixes #3661

Signed-off-by: Peter Somogyvari <[email protected]>
  • Loading branch information
petermetz committed Dec 4, 2024
1 parent 9ce00eb commit 02b4125
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 28 deletions.
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@
"glob-parent": ">=5.1.2",
"x-hoek": ">6.1.3",
"http-cache-semantics": ">=4.1.1",
"http-proxy-middleware": ">=2.0.7",
"x-ip": ">2.0.1",
"jsonwebtoken": ">=9.0.0",
"jsrsasign": ">=11.0.0",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@
"axios": "1.7.7",
"ethers": "6.8.1",
"express": "4.21.0",
"http-proxy-middleware": "2.0.6",
"http-proxy-middleware": "2.0.7",
"minimist": "1.2.8",
"prom-client": "15.1.3",
"run-time-error-cjs": "1.4.0",
Expand Down
65 changes: 38 additions & 27 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -10510,7 +10510,7 @@ __metadata:
chalk: "npm:4.1.2"
ethers: "npm:6.8.1"
express: "npm:4.21.0"
http-proxy-middleware: "npm:2.0.6"
http-proxy-middleware: "npm:2.0.7"
js-yaml: "npm:4.1.0"
minimist: "npm:1.2.8"
prom-client: "npm:15.1.3"
Expand Down Expand Up @@ -17166,12 +17166,12 @@ __metadata:
languageName: node
linkType: hard

"@types/http-proxy@npm:^1.17.8":
version: 1.17.9
resolution: "@types/http-proxy@npm:1.17.9"
"@types/http-proxy@npm:^1.17.15":
version: 1.17.15
resolution: "@types/http-proxy@npm:1.17.15"
dependencies:
"@types/node": "npm:*"
checksum: 10/48075c535a5d4805feca388a539b4dcb80666963499018918584aefb4f7806c2c86b0c289bb0f1d96539816d90d702b7c2167e68c3ebe858725e598a1c3c05d2
checksum: 10/fa86d5397c021f6c824d1143a206009bfb64ff703da32fb30f6176c603daf6c24ce3a28daf26b3945c94dd10f9d76f07ea7a6a2c3e9b710e00ff42da32e08dea
languageName: node
linkType: hard

Expand Down Expand Up @@ -25358,6 +25358,18 @@ __metadata:
languageName: node
linkType: hard

"debug@npm:^4.3.6":
version: 4.3.7
resolution: "debug@npm:4.3.7"
dependencies:
ms: "npm:^2.1.3"
peerDependenciesMeta:
supports-color:
optional: true
checksum: 10/71168908b9a78227ab29d5d25fe03c5867750e31ce24bf2c44a86efc5af041758bb56569b0a3d48a9b5344c00a24a777e6f4100ed6dfd9534a42c1dde285125a
languageName: node
linkType: hard

"decamelize-keys@npm:^1.1.0":
version: 1.1.0
resolution: "decamelize-keys@npm:1.1.0"
Expand Down Expand Up @@ -32792,21 +32804,17 @@ __metadata:
languageName: node
linkType: hard

"http-proxy-middleware@npm:2.0.6, http-proxy-middleware@npm:^2.0.3":
version: 2.0.6
resolution: "http-proxy-middleware@npm:2.0.6"
"http-proxy-middleware@npm:>=2.0.7":
version: 3.0.3
resolution: "http-proxy-middleware@npm:3.0.3"
dependencies:
"@types/http-proxy": "npm:^1.17.8"
"@types/http-proxy": "npm:^1.17.15"
debug: "npm:^4.3.6"
http-proxy: "npm:^1.18.1"
is-glob: "npm:^4.0.1"
is-plain-obj: "npm:^3.0.0"
micromatch: "npm:^4.0.2"
peerDependencies:
"@types/express": ^4.17.13
peerDependenciesMeta:
"@types/express":
optional: true
checksum: 10/768e7ae5a422bbf4b866b64105b4c2d1f468916b7b0e9c96750551c7732383069b411aa7753eb7b34eab113e4f77fb770122cb7fb9c8ec87d138d5ddaafda891
is-glob: "npm:^4.0.3"
is-plain-object: "npm:^5.0.0"
micromatch: "npm:^4.0.8"
checksum: 10/32f58c29288ca63e109909fb998bd0f6f50eb15a98dec9487eac07dfc4f09d8507dbfa00b44442d868bafa904bd633c8bbd55686bb13b4d4af4f5c5b3bbca430
languageName: node
linkType: hard

Expand Down Expand Up @@ -34150,7 +34158,7 @@ __metadata:
languageName: node
linkType: hard

"is-glob@npm:^4.0.0, is-glob@npm:^4.0.1, is-glob@npm:^4.0.3, is-glob@npm:~4.0.1":
"is-glob@npm:^4.0.0, is-glob@npm:^4.0.3, is-glob@npm:~4.0.1":
version: 4.0.3
resolution: "is-glob@npm:4.0.3"
dependencies:
Expand Down Expand Up @@ -34368,13 +34376,6 @@ __metadata:
languageName: node
linkType: hard

"is-plain-obj@npm:^3.0.0":
version: 3.0.0
resolution: "is-plain-obj@npm:3.0.0"
checksum: 10/a6ebdf8e12ab73f33530641972a72a4b8aed6df04f762070d823808303e4f76d87d5ea5bd76f96a7bbe83d93f04ac7764429c29413bd9049853a69cb630fb21c
languageName: node
linkType: hard

"is-plain-obj@npm:^4.0.0":
version: 4.1.0
resolution: "is-plain-obj@npm:4.1.0"
Expand Down Expand Up @@ -39348,7 +39349,7 @@ __metadata:
languageName: node
linkType: hard

"micromatch@npm:^4.0.2, micromatch@npm:^4.0.5":
"micromatch@npm:^4.0.5":
version: 4.0.5
resolution: "micromatch@npm:4.0.5"
dependencies:
Expand All @@ -39368,6 +39369,16 @@ __metadata:
languageName: node
linkType: hard

"micromatch@npm:^4.0.8":
version: 4.0.8
resolution: "micromatch@npm:4.0.8"
dependencies:
braces: "npm:^3.0.3"
picomatch: "npm:^2.3.1"
checksum: 10/6bf2a01672e7965eb9941d1f02044fad2bd12486b5553dc1116ff24c09a8723157601dc992e74c911d896175918448762df3b3fd0a6b61037dd1a9766ddfbf58
languageName: node
linkType: hard

"miller-rabin@npm:^4.0.0":
version: 4.0.1
resolution: "miller-rabin@npm:4.0.1"
Expand Down

0 comments on commit 02b4125

Please sign in to comment.