CVE-2021-23358 - Arbitrary Code Execution (Underscore)

[tgardiner]

Expected behavior

web3 1.3.5 should not depend on vulnerable versions of underscore.

Actual behavior

web3 1.3.5 depends on a vulnerable version of underscore.

See: https://www.npmjs.com/advisories/1674

Steps to reproduce the behavior

1. npm install web3
2. npm audit

Logs

Click to view npm audit output

underscore  1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution - https://npmjs.com/advisories/1674
No fix available
node_modules/underscore
  web3-bzz  *
  Depends on vulnerable versions of underscore
  node_modules/web3-bzz
    web3  *
    Depends on vulnerable versions of web3-bzz
    Depends on vulnerable versions of web3-utils
    node_modules/web3
  web3-core-helpers  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-helpers
    web3-core  *
    Depends on vulnerable versions of web3-core-helpers
    node_modules/web3-core
      web3-net  <=1.0.0-beta.55 || >=1.2.0
      Depends on vulnerable versions of web3-core
      Depends on vulnerable versions of web3-utils
      node_modules/web3-net
        web3-eth-personal  *
        Depends on vulnerable versions of web3-core-helpers
        Depends on vulnerable versions of web3-net
        node_modules/web3-eth-personal
        web3-shh  <=1.3.5
        Depends on vulnerable versions of web3-core-subscriptions
        Depends on vulnerable versions of web3-net
        node_modules/web3-shh
    web3-eth-ens  *
    Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-core-helpers
    node_modules/web3-eth-ens
      web3-eth  *
      Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-eth-ens
      node_modules/web3-eth
    web3-providers-http  *
    Depends on vulnerable versions of web3-core-helpers
    node_modules/web3-providers-http
  web3-core-method  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-method
  web3-core-requestmanager  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-requestmanager
  web3-core-subscriptions  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-subscriptions
  web3-eth-abi  *
  Depends on vulnerable versions of underscore
  node_modules/web3-eth-abi
  web3-eth-accounts  *
  Depends on vulnerable versions of underscore
  node_modules/web3-eth-accounts
  web3-eth-contract  *
  Depends on vulnerable versions of underscore
  node_modules/web3-eth-contract
  web3-providers-ipc  *
  Depends on vulnerable versions of underscore
  node_modules/web3-providers-ipc
  web3-providers-ws  *
  Depends on vulnerable versions of underscore
  node_modules/web3-providers-ws
  web3-utils  >=1.0.0-beta.8
  Depends on vulnerable versions of underscore
  node_modules/web3-utils
    web3-eth-iban  *
    Depends on vulnerable versions of web3-utils
    node_modules/web3-eth-iban

Environment

web3 1.3.5

[azerella]

Also experiencing this, would like a fix ASAP

[smartcontracts]

Seems like dependabot already made a bunch of PRs to update this, e.g.: #4038. Would be great if these could be merged soon, ty!!

[GregTheGreek]

Thanks everyone, getting these in now, will release a patch after some testing to ensure nothing is broken.

Will also be looking into potentially removing underscore since its a relatively large library.