Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Vulnerability in @react-pdf/png-js dependency chain (socket.io-parser < 4.2.1) #3081

Open
sunanmau5 opened this issue Feb 17, 2025 · 0 comments
Open

Security: Vulnerability in @react-pdf/png-js dependency chain (socket.io-parser < 4.2.1) #3081

sunanmau5 opened this issue Feb 17, 2025 · 0 comments

Comments

@sunanmau5
Copy link

A security vulnerability has been identified in the dependency chain of @react-pdf/png-js. The package uses [email protected], which ultimately depends on an outdated version of socket.io-parser (2.3.1) through the following dependency chain:

@react-pdf/png-js
└─ [email protected]
   └─ [email protected]
      └─ [email protected]
         └─ [email protected]

The vulnerability exists in the Socket.io js library due to improper type validation in attachment parsing. This security flaw allows attackers to overwrite the _placeholder object, potentially enabling them to place references to functions at arbitrary places in the resulting query object.

The vulnerability can be addressed by updating socket.io-parser to version 4.2.1 or higher. However, since browserify-zlib is no longer maintained, addressing this security issue through normal dependency updates is challenging.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sunanmau5