Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

【安全漏洞】NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #1294

Closed
xiaweiss opened this issue Feb 20, 2024 · 12 comments
Closed

【安全漏洞】NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #1294

xiaweiss opened this issue Feb 20, 2024 · 12 comments

Comments

@xiaweiss
Copy link

ali-oss@6.20.0 => urllib@2.41.0 => ip@1.1.5

image
@xiaweiss
Copy link
Author

see pr: #1292

@xiaweiss xiaweiss changed the title NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks 【安全漏洞】NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks Feb 20, 2024
@taltal78
Copy link

taltal78 commented Jun 3, 2024

Hi ,
I see the PR #1292 got closed... will this be handled ?

@I072744
Copy link

I072744 commented Jun 4, 2024

This vulnerability still exists... how would this be handled ?
urllib latest version is available which is free from vulnerability
Thanks

@borisLipmanovich
Copy link

Hi @xiaweiss , any updates on this topic?
I see the PR #1292 got closed... will this be handled?

@xiaweiss
Copy link
Author

xiaweiss commented Jul 23, 2024
edited
Loading

@borisLipmanovich PR #1292 closed, but not merged. holy shit!

urllib version is still 2.41.0
https://github.com/ali-sdk/ali-oss/blob/master/package.json#L156

@xiaweiss xiaweiss reopened this Jul 23, 2024
@borisLipmanovich
Copy link

@xiaweiss, indeed :) Can anyone handle it?

@xiaweiss
Copy link
Author

@borisLipmanovich
No one is dealing with it, Alibaba doesn't take security seriously, it can be ignored

@borisLipmanovich
Copy link

@xiaweiss, This vulnerability has CVSS 8.6. Maybe you can reopen the PR as it was closed without merging?
#1292

@xiaweiss
Copy link
Author

@borisLipmanovich please @ repo owner,not me.

@xiaweiss
Copy link
Author

I'm just giving feedback, I don't have any access

@YunZZY YunZZY mentioned this issue Aug 15, 2024
Merged
@YunZZY
Copy link
Collaborator

YunZZY commented Aug 16, 2024

Version 6.21.0 has been released

@YunZZY YunZZY closed this as completed Aug 16, 2024
@ricky11
Copy link

ricky11 commented Oct 18, 2024

The bundle size is just getting bigger an bigger, please remember this is also a browser package, and 700kb plus even not gzipped is huge... this package should be shaken, to only import what you need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@borisLipmanovich @ricky11 @I072744 @xiaweiss @YunZZY @taltal78