Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: esbuild vulnerabilities #33

Open
jendcruz22 opened this issue Mar 12, 2025 · 0 comments
Open

[bug]: esbuild vulnerabilities #33

jendcruz22 opened this issue Mar 12, 2025 · 0 comments
Labels
issue: bug Issue reporting a bug

Comments

@jendcruz22
Copy link

jendcruz22 commented Mar 12, 2025
edited
Loading

Strapi/pack‑up version 5.1.0 currently uses esbuild v0.20.2 (and its Vite dependency uses esbuild v0.21.5), both of which are vulnerable due to a default CORS misconfiguration. This vulnerability (GHSA-67mh-4wv8-2f99, CVSS 5.3, CWE-346) allows an attacker to bypass same-origin restrictions when using the esbuild development server. Updating to esbuild ≥0.25.0 (as used in Vite milestone ≥6.2.0) would mitigate this risk.

What's Wrong?

Current Versions:

  • Strapi/pack‑up 5.1.0 uses esbuild v0.20.2.
  • Vite v5.4.8 (used by Strapi) in turn uses esbuild v0.21.5.

Patched Version:

  • Vite milestone ≥6.2.0 now uses a patched esbuild version (≥0.25.0).

Vulnerability Information:

  • Identifier: pkg:npm/[email protected] (and other versions <0.25.0)
  • CVE: GHSA-67mh-4wv8-2f99
  • Severity: Moderate (Base CVSS Score: 5.3, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
  • CWE: CWE-346

Technical Issue:

  • The esbuild development server in versions prior to 0.25.0 sets Access-Control-Allow-Origin: * for all responses—including for Server-Sent Events (SSE) endpoints and bundled asset requests. This overly permissive CORS configuration can allow a remote attacker to fetch internal JavaScript bundles and source maps from the development server.

Impact

Vulnerability Type:

  • Unsafe default CORS settings in esbuild’s development server.

Potential Impact:

  • In a misconfigured deployment or during development, sensitive JavaScript bundles and source maps can be accessed from a remote origin, potentially exposing internal application logic or confidential information.

Scope:

  • This vulnerability primarily affects environments that rely on the esbuild development server. While production deployments should not run the development server, accidental exposure or misconfiguration can lead to information leakage.

Recommendation:

  • Update the esbuild dependency (and transitively Vite’s dependency, if applicable) to a version ≥0.25.0 where this issue has been patched. This would bring Strapi/pack‑up inline with Vite milestone ≥6.2.0 and reduce the risk of unauthorized asset access.

To Reproduce

Setup:

Use a Strapi project running pack‑up 5.1.0 (which installs esbuild v0.20.2) in development mode.

Reproduction Steps:

  • Start the development server normally.
  • From a browser on a different origin (or using a tool like curl or a browser console), execute:
fetch("http://<strapi-dev-host>:<port>/main.js")
  .then(response => response.text())
  .then(console.log)
  .catch(console.error);
  • Due to the default CORS header (Access-Control-Allow-Origin: *), the request will succeed and return the bundled JavaScript content (or source maps if enabled).

Observation:

  • This demonstrates that an attacker (or any unauthenticated user) could retrieve potentially sensitive bundled assets simply by knowing or guessing the URL.

Expected Behaviour

A security tool such as OWASP shouldn't identify any vulnerabilities when @strapi/pack-up is being utilized
@jendcruz22 jendcruz22 added the issue: bug Issue reporting a bug label Mar 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug Issue reporting a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jendcruz22