Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xml2js is vulnerable to prototype pollution(short issue description) #4387

Closed
Harisene opened this issue Apr 10, 2023 · 3 comments · Fixed by #4389
Closed

xml2js is vulnerable to prototype pollution(short issue description) #4387

Harisene opened this issue Apr 10, 2023 · 3 comments · Fixed by #4389
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@Harisene
Copy link

Describe the bug

When I run npm i or npm ci I get the error and the installation process fails.

Expected Behavior

npm ci should run successfully.

Current Behavior

Getting bellow error,

  • 2 high severity vulnerabilities

This is what I got from running npm audit
Screenshot 2023-04-10 at 1 48 13 PM

Reproduction Steps

running npm i or npm ci

Possible Solution

No response

Additional Information/Context

No response

SDK version used

2.1353.0

Environment details (OS name and version, etc.)

macOS Monterey 12.6.1
@Harisene Harisene added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 10, 2023
@prathameshmhatre
Copy link

I was also facing same issue but I have added a overrides within the package.json as below

"overrides": {
    "xml2js": "0.5.0"
  }

And did a npm update and it resolved the Issue.
The actual fix will be aws-sdk being updated for the "xml2js": "0.5.0" version

@mhassan1 mhassan1 mentioned this issue Apr 10, 2023
Merged
1 task
@SamucaDev
Copy link

Same problem with "aws-sdk": "^2.996.0"

Screenshot from 2023-04-10 11-03-11

@ricardofaria-minu
Copy link

this issue was fixed, but not publish in the NPM.

@tabdunabi tabdunabi mentioned this issue Apr 17, 2023
Merged
tabdunabi added a commit to aws-solutions/discovering-hot-topics-using-machine-learning that referenced this issue Apr 17, 2023
@tabdunabi
update to version v2.1.3
c18b1e7 
### Fixed

- Update AWS-SDK V2 that addresses the security issue identified in xml2js (aws/aws-sdk-js#4387)
- Updated the bucket policy on the logging bucket to grant access to the logging service principal (logging.s3.amazonaws.com) for access log delivery.
@tabdunabi tabdunabi mentioned this issue Apr 18, 2023
Merged
tabdunabi added a commit to aws-solutions/discovering-hot-topics-using-machine-learning that referenced this issue Apr 18, 2023
@tabdunabi
Update to version v2.1.3
e639827 
### Fixed

- Update AWS-SDK V2 that addresses the security issue identified in xml2js (aws/aws-sdk-js#4387)
- Updated the bucket policy on the logging bucket to grant access to the logging service principal (logging.s3.amazonaws.com) for access log delivery.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump xml2js to 0.5.0
4 participants
@prathameshmhatre @Harisene @SamucaDev @ricardofaria-minu