Current release of @vue/cli-service is affected by CVE-2021-23362 Regular Expression Deinal of Service

[undergroundwires]

Version

4.5.11 and 4.5.12

Environment info

Environment Info:

  System:
    OS: macOS 11.2.3
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 14.1.0 - /usr/local/bin/node
    Yarn: Not Found
    npm: 7.11.2 - /usr/local/bin/npm
  Browsers:
    Chrome: Not Found
    Edge: Not Found
    Firefox: 88.0
    Safari: 14.0.3
  npmPackages:
    @fortawesome/vue-fontawesome: ^2.0.2 => 2.0.2 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.6 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.12 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.12 
    @vue/cli-plugin-babel: ^4.5.12 => 4.5.12 
    @vue/cli-plugin-router:  4.5.12 
    @vue/cli-plugin-typescript: ^4.5.12 => 4.5.12 
    @vue/cli-plugin-unit-mocha: ^4.5.12 => 4.5.12 
    @vue/cli-plugin-vuex:  4.5.12 
    @vue/cli-service: ^4.5.12 => 4.5.12 
    @vue/cli-shared-utils:  4.5.12 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/test-utils: 1.2.0 => 1.2.0 
    @vue/web-component-wrapper:  1.3.0 
    typescript: ^4.2.4 => 4.2.4 
    vue: ^2.6.12 => 2.6.12 
    vue-class-component: ^7.2.6 => 7.2.6 
    vue-cli-plugin-electron-builder: ^2.0.0-rc.6 => 2.0.0-rc.6 
    vue-cli-webpack:  1.0.0 
    vue-hot-reload-api:  2.3.4 
    vue-js-modal: ^2.0.0-rc.6 => 2.0.0-rc.6 
    vue-loader:  15.9.6 (16.2.0)
    vue-property-decorator: ^9.1.2 => 9.1.2 
    vue-resize:  1.0.1 
    vue-style-loader:  4.1.2 
    vue-template-compiler: ^2.6.12 => 2.6.12 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:
    @vue/cli: 4.5.10

Steps to reproduce

• Clone any repo (I tested on privacy.sexy
• Run npm install
• Run npm audit

What is expected?

No vulnerabilities from hosted-git-info

What is actually happening?

NPM audit repots as following:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-babel [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-babel > @vue/cli-shared-utils > read-pkg >   │
│               │ normalize-package-data > hosted-git-info                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-typescript [dev]                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-typescript > @vue/cli-shared-utils >         │
│               │ read-pkg > normalize-package-data > hosted-git-info          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-unit-mocha [dev]                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-unit-mocha > @vue/cli-shared-utils >         │
│               │ read-pkg > normalize-package-data > hosted-git-info          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-service > @vue/cli-plugin-router >                  │
│               │ @vue/cli-shared-utils > read-pkg > normalize-package-data >  │
│               │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-service > @vue/cli-shared-utils > read-pkg >        │
│               │ normalize-package-data > hosted-git-info                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vue-cli-plugin-electron-builder [dev]                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vue-cli-plugin-electron-builder > @vue/cli-shared-utils >    │
│               │ read-pkg > normalize-package-data > hosted-git-info          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

---

See also #6424
https://www.npmjs.com/advisories/1677
https://nvd.nist.gov/vuln/detail/CVE-2021-23362

[haoqunjiang]

1. This vulnerability warning is pointless in the context of Vue CLI usage, please ignore it if possible;
2. It's not possible for Vue CLI to upgrade to the latest version of read-pkg, because it only provides ESM export.

[haoqunjiang]

So if we are to solve this issue in this repository, the only choice left is to re-implement read-pkg.
It would be a very very low priority to me. Because this re-implementation takes time but brings nothing good except for a false sense of security.

[haoqunjiang]

Well, after looking into your project, I find that the required hosted-git-info version range is ^2.1.4. And version 2.8.9 is unaffected by this vulnerability.

So I guess npm audit fix can already fix this issue. If not, please delete node_modules and package-lock.json and then rerun npm install.

[undergroundwires]

@sodatea Thanks a lot for the help and sorry for taking your time with false alarm.