CVE-2020-28168 - Medium Severity Vulnerability

[kerimkaan]

What's going wrong?

• Security vulneriabilty on the dependency (axios)

How could we reproduce this issue?

• CVE-2020-28168 - Medium Severity Vulnerability

Supporting information

Please follow this CVE-2020-28168, related axios issue

Dependency Hierarchy:

• pm2-4.5.0.tgz (Root Library)
  • js-api-0.6.0.tgz
    ❌ axios-0.19.2.tgz (Vulnerable Library)

[mririgoyen]

This is now being reported by NPM's audit tools and has begun to fail our pipelines due to its "high" severity.

https://www.npmjs.com/advisories/1594

[mashpie]

This is now resolvable by yarn upgrade -A or npm equivalent, as js-api published a new patch version with the current axios minor version some minutes ago.

A recent upgrade worked out as follows:

before

❯ yarn audit
yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pm2                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ pm2 > @pm2/js-api > axios                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1594                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 960
Severity: 1 High
✨  Done in 1.00s.

apply upgrade

❯ yarn upgrade -A
yarn upgrade v1.22.4
[1/5] 🔍  Resolving packages...
[...]
[2/5] 🔍  Auditing packages...
[3/5] 🚚  Fetching packages...
[4/5] 🔗  Linking dependencies...
[5/5] 🔨  Rebuilding all packages...
0 vulnerabilities found - Packages audited: 958
success Saved lockfile.

double check

❯ yarn audit
yarn audit v1.22.4
0 vulnerabilities found - Packages audited: 958
✨  Done in 0.89s.

[warpr]

As @mashpie mentions above, npm audit and following its instructions works to resolve this with npm:

> $ npm audit                                                                                                                                                           [±main ●]
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/audits 1361ms

                       === npm audit security report ===

# Run  npm update @pm2/js-api --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pm2                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ pm2 > @pm2/js-api > axios                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[antoniore-edw]

I have a very similar issue with pm2 5.3.0 but with this vulnerability CVE-2023-45857. It seems the js-api is still using a vulnerable version of axios (0.21.4).

[OshriBaruch]

Same as @antoniore-edw, any fixes are planned?