GitHub Advisory DatabaseGHSA-F7XJ-RG7H-MC87Stylelint has vulnerability in semver dependency
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
51.1%
Summary
Our meow dependency (which we use for our CLI) depended on [email protected] . A vulnerability in this version of semver was recently identified and surfaced by npm audit:
Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโ [email protected] deduped
I found that [email protected] contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I canโt update meow to the new major version because your package doesnโt allow it."
Update your package to use the โmeowโ version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
โฌ๏ธ EDITED AFTER PUBLISHED โฌ๏ธ
Security fix backported to older semver versions
The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.
So, you can fix this vulnerability by just updating semver in your projectโs dependency tree, instead of updating stylelint. For details, see the example:
package.json:
{
"dependencies": {
"stylelint": "15.10.0"
}
}
Run npm audit (here is no alert for semver):
$ npm ci
...
$ npm audit
...
stylelint 8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/stylelint
1 low severity vulnerability
...
$ npm ls semver
...
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โ โโโ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโ [email protected]
Affected configurations
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
51.1%