Vulnerability in jose subdependency

[m-wagner98]

Environment:

• Operating System version: _____
• Firebase SDK version: 12.0.0
• Firebase Product:Top-level idk (auth, database, storage, etc)
• Node.js version: n/a
• NPM version: n/a

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

1. Create a npm project and install the firebase-admin package.
2. Perform an security analysis of the dependencies using OWASP dependency-check plugin
3. The analysis fails due to a known vulnerability in the jose package.
4. With npm ls jose we can find out where the dependency comes from:

@computer% npm ls jose
@app/source@0.0.0 /Users/wagnem46/dev/notificationmanager-v2
└─┬ firebase-admin@12.0.0
└─┬ jwks-rsa@3.1.0
└── jose@4.15.4

Vulnerability: GHSA-hhhv-q57g-882q
https://nvd.nist.gov/vuln/detail/CVE-2024-28176

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lahirumaramba]

Thanks for filing this issue. Since the vulnerability is in a dependency of jwks-rsa the fix should be addressed in that package. It also doesn't look like jwks-rsa pins to a specific version of jose so you might be able to upgrade jose to v4.15.5 (which includes the fix) in your environment. See auth0/node-jwks-rsa#403

[m-wagner98]

Okay we will upgrade on our environment.