Comments (9)
@PPKath-1611: I agree with @aearly's comment in full. Please don't nag the the maintainers; false-positive CVEs are a nuisance for everyone.
I've raised a retraction request in the GitHub repository & am contacting NVD asking them to do the same. zunak/CVE-2024-39249#1
If you have a problem with Snyk assessing the 'vulnerability' as medium affecting your builds, contact Snyk, not this maintainer.
from async.
Snyk appears to have revoked this vulnerability.
https://security.snyk.io/vuln/SNYK-JS-ASYNC-7414156
from async.
@aearly, if you think so, can you please look & verify why Snyk is mentioning it as a medium severity vulnerability. If possible kindly provide a new patch version of it, as current version 3.2.5 is causing a Medium CVE which is leading to failure of npm vulnerability scan in our build pipeline
from async.
No, this is not exploitable except with extremely contrived examples.
from async.
Yes, thanks for the backup. For reference everyone, the example code provided involved 500 spaces beween async
and (args) => {...}
in code a developer would write. It would be as conspicuous in code review as for(var i = 0; i < 1000000000; i++);
.
from async.
This seems incredibly unlikely to be exploitable, except in development. If a user of Async was eval()ing user input and passing functions to autoInject
, they would have bigger problems.
from async.
Hi @aearly @caolan , are you guys soon planning to resolve this CVE by publishing a new version for this NPM package ?
from async.
@aearly , Just for your reference, please once go through an observation explained by this author
https://github.com/zunak/CVE-2024-39249
Thanks
from async.
Okay, closing this issue. I'm also disappointed that Snyk cried wolf on a completely unverified CVE and created a lot of extra work for you all.
from async.
Related Issues (20)
- with async.queue order of execution is different when using promises instead of callbacks but should be identical HOT 2
- How to figure version of async required? HOT 1
- Async causing issues with callback function HOT 2
- callback is not a function HOT 3
- Java
- Github
- Vulnerability in the async dependency HOT 1
- vulnerability in async module HOT 2
- Error propagation - Original error lost HOT 4
- How to reproduce Subtle Memory Leak? HOT 3
- async.each/async.eachSeries does not work properly when there is another async.each/eachSeries inside the callback HOT 1
- Is there a way to empty the queue workersList items?
- Is there any way to limit the size of the async.queue? HOT 3
- Mixing native async and Node callback functions seems to cause unexpected behavior HOT 2
- async.eachSeries with TypeScript gets stuck on first element in the collection HOT 2
- Cargo minimum payload size
- CVE-2024-39249 reported for async-3.2.5 HOT 1
- CVE-2024-39249 (Medium) detected in async-3.2.5.tgz HOT 1
- Using async/await based iterators triggers @typescript-eslint/no-misused-promises HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from async.