Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Socks package depends on vulnerable package ip #93

Closed
dawidurbanski opened this issue Feb 10, 2024 · 2 comments
Closed

Socks package depends on vulnerable package ip #93

dawidurbanski opened this issue Feb 10, 2024 · 2 comments

Comments

@dawidurbanski
Copy link

dawidurbanski commented Feb 10, 2024

This package relies on a vulnerable ip package.

GHSA-78xj-cgh5-2h22

The report says the affected versions are below 1.1.8 without any patched versions (latest is 2.0.0, which this package relies on).

I took a moment to reproduce the vulnerability in 2.0.0 and this version is also affected (but not seen in npm audit, due to version constraint in the advisory database).

Maybe consider removing ip as dependency.

This package seems to be dead, especially looking at the discousure timeline in the report:

Disclosure Timeline
14 December 2022 - First Contact (via huntr):
17 January 2023 - Reminder (No Response)
28 February 2023 - Reminder (No Response)
8 February 2024 - Public Disclosure

Is this package affected

The only two vulnerable functions from the ip package are isPublic and isPrivate.

I didn't look through the code but you probably should ignore this if this package is not using these functions.

In such case this probably should be revisited only in case of the advisory database update stating the 2.0.0 package is also affected (making this package a culprit in the npm audit). Until then it's probably safe to ignore.

Related:

@JoshGlazebrook
Copy link
Owner

I'll work on removing it later today.

@JoshGlazebrook
Copy link
Owner

2.7.3 is published - https://www.npmjs.com/package/socks/v/2.7.3

#94

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants