Skip to content

Current release of @vue/cli-service is affected by CVE-2021-27290 Regular Expression Denial of Service in ssri #6424

New issue
New issue
Closed
Closed
Current release of @vue/cli-service is affected by CVE-2021-27290 Regular Expression Denial of Service in ssri#6424
@wallyaltman

Description

@wallyaltman
wallyaltman
opened on Apr 15, 2021

Version

4.5.12

Environment info

Environment Info:

  System:
    OS: Linux 5.11 Arch Linux
    CPU: (8) x64 Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
  Binaries:
    Node: Not Found
    Yarn: 1.22.10 - /tmp/yarn--1618510365267-0.6910111220689819/yarn
    npm: 7.8.0 - /usr/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: 87.0
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  3.12.1 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli: ^4.5.4 => 4.5.11 
    @vue/cli-overlay:  4.5.12 
    @vue/cli-plugin-babel: ^3.5.0 => 3.12.1 
    @vue/cli-plugin-eslint: ^3.5.0 => 3.12.1 
    @vue/cli-plugin-router:  4.5.12 
    @vue/cli-plugin-vuex:  4.5.12 
    @vue/cli-service: ^4.5.4 => 4.5.12 
    @vue/cli-shared-utils:  4.5.11 (3.12.1, 4.5.12)
    @vue/cli-ui:  4.5.11 
    @vue/cli-ui-addon-webpack:  4.5.11 
    @vue/cli-ui-addon-widgets:  4.5.11 
    @vue/compiler-core:  3.0.7 
    @vue/compiler-dom:  3.0.7 
    @vue/compiler-sfc:  undefined (3.0.7)
    @vue/compiler-ssr:  3.0.7 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.0.7 
    @vue/runtime-core:  3.0.7 
    @vue/runtime-dom:  3.0.7 
    @vue/shared:  3.0.7 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^5.0.0 => 5.2.3 (4.7.1)
    typescript:  3.9.9 
    vue: ^2.6.10 => 2.6.12 (3.0.7)
    vue-cli-plugin-apollo:  0.21.3 
    vue-cli-plugin-vuetify: latest => 2.0.7 
    vue-cli-plugin-vuetify-essentials: latest => 0.8.3 
    vue-codemod:  0.0.4 
    vue-eslint-parser:  5.0.0 (2.0.3)
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.6 (16.2.0)
    vue-style-loader:  4.1.3 
    vue-template-compiler: 2.6.12 => 2.6.12 
    vue-template-es2015-compiler:  1.9.1 
    vuetify: ^2.1.11 => 2.3.14 
    vuetify-loader: ~>1.4.2 => 1.4.4 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

  • Require the latest stable version of the @vue/cli-service package in any app.
  • Run yarn audit.

What is expected?

The latest version of the software does not report any vulnerabilities.

What is actually happening?

The latest version of the software has two vulnerabilities from ssri, one from a direct dependency on the package.

My pipeline broke today once this vulnerability finally made it into the audit database.

https://www.npmjs.com/advisories/565

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions