Vulnerabilities in dependency jsonwebtoken, installed through firebase-admin

[letsgolesco]

Overview

The npm package jsonwebtoken at version 8.x.x has four known vulnerabilities, three moderate and one high severity. @google-cloud/debug-agent uses firebase-admin at version 10.x.x, which uses jsonwebtoken at version 8.x.x, thus introducing the vulnerability.

A patch was introduced in firebase-admin version 11.4.1 to upgrade jsonwebtoken to version 9.x.x (see firebase/firebase-admin-node#2023). To resolve this issue, firebase-admin should be upgraded to version 11.4.1 or later.

Breaking changes for firebase-admin version 11.0.0 can be found here. There are as follows:

Breaking change: Dropped support for Node.js 12. Developers should use Node.js 14 or higher when deploying the Admin SDK.

This may be a sticking point, as it looks like this library still supports Node 12. Node 12 is no longer maintained as of April 30 2022, so hopefully this means this library can drop support for it.

Breaking change: Upgraded TypeScript to v4.6.4.

This package uses TypeScript 4.6.4, so this should not be an issue.

Breaking change: Upgraded the @google-cloud/firestore package to v5. This contains breaking changes. Refer to the Cloud Firestore release notes for more details.

Breaking change: Upgraded the @google-cloud/storage package to v6. This contains breaking changes. Refer to the Cloud Storage release notes for more details.

I can't speak to the impact of these changes, but it seems that @google-cloud/firestore and google-cloud/storage are not used directly by this package.

Environment details

• OS: MacOS 13.1
• Node.js version: 16.17.0
• npm version: 8.15.0
• @google-cloud/debug-agent version: 7.2.1

Steps to reproduce

1. Install @google-cloud/debug-agent in your NodeJS project at version 7.x.x (i.e. npm install --save @google-cloud/debug-agent)
2. Run npm audit

Observe the following npm audit report:

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install jsonwebtoken@9.0.0, which is a breaking change
node_modules/jsonwebtoken
  firebase-admin  4.0.0 - 11.4.0
  Depends on vulnerable versions of jsonwebtoken
  node_modules/firebase-admin
    @google-cloud/debug-agent  >=6.0.0
    Depends on vulnerable versions of firebase-admin
    node_modules/@google-cloud/debug-agent

[mctavish]

Thanks for filing the report. Your assessment is correct; this vulnerability can't be addressed as long as Node 12 is supported.

I can't currently give a timeline for when we'll be removing Node 12 support from this package, but am looking into it and will keep you posted.