Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node-forge vulnerabilities #248

Closed
pawelzygmuntowski opened this issue Feb 1, 2022 · 3 comments
Closed

Node-forge vulnerabilities #248

pawelzygmuntowski opened this issue Feb 1, 2022 · 3 comments

Comments

@pawelzygmuntowski
Copy link

pawelzygmuntowski commented Feb 1, 2022
edited
Loading

The node-forge version used in node-xml-encryption that saml2 uses has some vulnerabilities.

https://deps.dev/advisory/GHSA/GHSA-5rrq-pxf6-6jx5 - Prototype Pollution in node-forge debug API.
and also
https://deps.dev/advisory/GHSA/GHSA-gf8q-jrpm-jvxq - URL parsing in node-forge could lead to undesired behavior.

This was fixed in the newest version of node-xml-encryption:
auth0/node-xml-encryption#94

So upgrading node-xml-encryption to the latest release should fix this.

Can we expect this to be fixed any time soon?
@slowtick
Copy link

Would be interested in fix for this. The newer version of xml-encryption (2.0.0) seems to be api compatible. With nodejs 16.x added a dependency override in my package.json as in below and it worked with current release of saml2-js.

"overrides": {
    "saml2-js": {
      "xmldom": "^0.6.0",
      "xml-encryption": "^2.0.0"
    }
  }

@darioackermann
Copy link

I am mainting a fork of this repo with all dependency updates applied. Feel free to use it in any case.

mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Updates xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
f4e9daa 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Updates xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
10754d4 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
bc010fb 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
2c313bc 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
9299ffa 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
6e9acf5 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
e8b6f34 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
3715385 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
3a1e160 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
5ed056b 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
cfb5ce4 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
@mcab
Copy link
Member

mcab commented Oct 15, 2022

Addressed in #261.

@mcab mcab closed this as completed Oct 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mcab @slowtick @darioackermann @pawelzygmuntowski