Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoS vulnerability from dicer@0.2.5 #735

Closed
mrded opened this issue May 20, 2022 · 4 comments
Closed

DoS vulnerability from dicer@0.2.5 #735

mrded opened this issue May 20, 2022 · 4 comments

Comments

@mrded
Copy link

mrded commented May 20, 2022

Hello,

Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:

Issues with no direct upgrade or patch:
  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in dicer@0.2.5
    introduced by express-openapi-validator@4.13.7 > multer@1.4.4 > busboy@0.2.14 > dicer@0.2.5
  No upgrade or patch available

Thanks
@mrded
Copy link
Author

mrded commented May 20, 2022

Updating multer > busboy@1.0.0 drops the dependency on dicer (where the vuln comes from).

@ansonallard
Copy link

multer has an active PR for this issue: expressjs/multer#1097

@finpingvin
Copy link
Contributor

multer has an active PR for this issue: expressjs/multer#1097

They seem to have released it under 1.4.4-lts.1

@finpingvin finpingvin mentioned this issue May 30, 2022
Merged
@cdimascio
Copy link
Owner

Fixed in 4.13.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mrded @finpingvin @cdimascio @ansonallard