Notice: False Security Vulnerability for 4.16.4

[sdeshpande10]

"express": "4.16.4",
Security vulnerability warning for following dependency is blocking us from using this library - mime 1.4.1.tgz
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Details :
CVE-2017-16138 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

[dougwilson]

That vulnerability does not apply to mime 1.4.1. The 1.4.1 version is the 1.x series version that contains the patch: broofa/mime#167 (comment)

[akankshagaur]

@dougwilson We are getting this CVE on using expressjs which has mime as its dependency. Is there a plan to upgrade its version?

[dougwilson]

There is no plan because version 1.4.1 of mime is not vulnerable to that CVE. You may want to contact whatever is triggerring that detection that it is incorrect.

[lirantal]

Hi @sdeshpande10, @akankshagaur,
Liran from Snyk here.

It looks like @dougwilson is correct with regards to 1.4.1 not being vulnerable and I can assume that the fix was backported after the CVE was requested and that's why it's not in the original CVE report.

As you can see in the Snyk vulnerability report for mime you can either upgrade to version 1.4.1 to get the fix without upgrading to major version 2.0.3 which might include a breaking change:

[dougwilson]

I am reopening this to prevent duplicate issues from opening.

As a reminder: there is no vulnerability here; whatever is alerting on this is incorrect and you may need to contact the vendor of the software flagging mime 1.4.1 to let them know.

[dougwilson]

I'm unsure if those vendors have resolved the issue, but also haven't heard anything otherwise, so I'm going to re-close this issue.