Skip to content

Is firebase-admin affected by CVE-2022-23529 ? #2023

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
amirbilu opened this issue Dec 22, 2022 · 3 comments · Fixed by #2025 or #2026
Closed

Is firebase-admin affected by CVE-2022-23529 ? #2023

amirbilu opened this issue Dec 22, 2022 · 3 comments · Fixed by #2025 or #2026
Labels
needs-triage type: feature request

Comments

@amirbilu
Copy link

GHSA-27h2-hvpr-p74q
@google-oss-bot
Copy link

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

@lahirumaramba lahirumaramba mentioned this issue Dec 22, 2022
Merged
@lahirumaramba
Copy link
Member

Thanks @amirbilu! I think the impact is minor as the sdk does not directly expose the verify() function. However, there is a chance that some build tools and deploy workflows might get blocked by having a vulnerable dependency in the dependency chain. #2025 Bumps jsonwebtoken from 8.5.1 to 9.0.0.

We will also do an emergency patch release today that includes the fixes.

@lahirumaramba lahirumaramba mentioned this issue Dec 22, 2022
Merged
@lahirumaramba
Copy link
Member

Fixed in v11.4.1 https://github.com/firebase/firebase-admin-node/releases/tag/v11.4.1
Thanks everyone!

@letsgolesco letsgolesco mentioned this issue Jan 5, 2023
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
needs-triage type: feature request
Projects
None yet
Milestone
No milestone
3 participants
@lahirumaramba @amirbilu @google-oss-bot