New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-28168 - Medium Severity Vulnerability #4937
Comments
This is now being reported by NPM's audit tools and has begun to fail our pipelines due to its "high" severity. |
This is now resolvable by A recent upgrade worked out as follows: before❯ yarn audit
yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Server-Side Request Forgery │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.21.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ pm2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ pm2 > @pm2/js-api > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1594 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 960
Severity: 1 High
✨ Done in 1.00s. apply upgrade
double check
|
As @mashpie mentions above,
|
I have a very similar issue with pm2 5.3.0 but with this vulnerability CVE-2023-45857. It seems the js-api is still using a vulnerable version of axios (0.21.4). |
Same as @antoniore-edw, any fixes are planned? |
What's going wrong?
How could we reproduce this issue?
Supporting information
Please follow this CVE-2020-28168, related axios issue
Dependency Hierarchy:
❌ axios-0.19.2.tgz (Vulnerable Library)
The text was updated successfully, but these errors were encountered: