Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Vulnerable dependency 'braces' needs update to resolve CVE-2024-4068 #387

Open
sebastianlaraai opened this issue Nov 12, 2024 · 0 comments
Open

Security: Vulnerable dependency 'braces' needs update to resolve CVE-2024-4068 #387

sebastianlaraai opened this issue Nov 12, 2024 · 0 comments

Comments

@sebastianlaraai
Copy link

the bug
The current version of react-simple-chatbot (0.6.1) includes a security vulnerability through transitive dependencies that use an older version of 'braces' (< 3.0.3), identified as CVE-2024-4068. This vulnerability allows potential DoS attacks through uncontrolled resource consumption.

To Reproduce
Steps to reproduce the behavior:

  1. Install [email protected]
  2. Run npm audit or check GitHub's Dependabot alerts
  3. Observe the vulnerability warning for 'braces' through:

Expected behavior
Dependencies should use braces >= 3.0.3 to prevent the vulnerability (CVE-2024-4068).

Additional context

  • CVE: CVE-2024-4068
  • Advisory: GHSA-grv7-fg5c-xmjg
  • The vulnerability cannot be fixed by end users due to explicit version requirements from transitive dependencies
  • Fix requires updating the dependencies in react-simple-chatbot to use newer versions of chokidar and micromatch that support braces >= 3.0.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sebastianlaraai