DoS vulnerability from dicer@0.2.5

[mrded]

Hello,

Snyk is reporting a vulnerability in this repo, that is coming from the Dicer library:

Issues with no direct upgrade or patch:
  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-DICER-2311764] in dicer@0.2.5
    introduced by multer@1.4.4 > busboy@0.2.14 > dicer@0.2.5
  No upgrade or patch available

Updating busboy@^1.0.0 drops the dependency on dicer (where the vuln comes from).

Thanks

[mrded]

#1096

[mrded]

Better solution: #1097

[krsubbar]

@mrded Thanks for raising this PR 1097. Request the team to merge this soon. As github is also reporting a high vulnerability which will get fixed with this busboy version upgrade. GHSA-wm7h-9275-46v2

[roneyantony]

High Crash in HeaderParser in dicer

Package dicer

Patched in No patch available

Dependency of multer

Path multer > busboy > dicer

[victorKariuki]

We need that fix, i don't like Severity: high, a warning is fine not red notifications.

[1yzz]

I need this

[LinusU]

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

[victorKariuki]

Thank you it works.

[123NeNaD]

What versions of Node are compatible?

[LinusU]

What versions of Node are compatible?

v10.16.0 or newer

[victorKariuki]

i've upgraded all my projects to 16 lts

…

________________________________ From: Linus Unnebäck ***@***.***> Sent: Thursday, June 16, 2022 10:33 To: expressjs/multer ***@***.***> Cc: victorKariuki ***@***.***>; Comment ***@***.***> Subject: Re: [expressjs/multer] DoS vulnerability from ***@***.*** (Issue #1095) What versions of Node are compatible? v10.16.0 or newer — Reply to this email directly, view it on GitHub<#1095 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATTZYI52BNNIQIE56WDBTMDVPLKDNANCNFSM5WP4UIOQ>. You are receiving this because you commented.Message ID: ***@***.***>

[ashish1497]

This is fixed in version 1.4.5-lts.1. That version has a breaking change in that it's not compatible with older versions of Node.js anymore. If anyone can contribute a backwards-compatible patch we could release that as 1.4.5 without the -lts.1 postfix.

Has this been done or we should do npm i multer@1.4.5-lts.1?

[bryanph]

@LinusU perhaps a good reason to release it as 2.0 to indicate a breaking change (removing support for older node versions)?

[ZhaoKunLong]

Is any way to resolve this issue?

[LinusU]

@bryanph there is already another 2.0 release line with multiple releases

@ZhaoKunLong @ashish1497 yes, npm i multer@1.4.5-lts.1 should fix this 👍