Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Vulnerability] patch axios vulnerability CVE-2023-26159 #992

Closed
lilfaf opened this issue Jan 5, 2024 · 1 comment
Closed

[Vulnerability] patch axios vulnerability CVE-2023-26159 #992

lilfaf opened this issue Jan 5, 2024 · 1 comment

Comments

@lilfaf
Copy link

lilfaf commented Jan 5, 2024

Issue Summary

The library uses axios 1.6.0 which has a vulnerable dependency with follow-redirects < 1.15.4

https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137

See related PRs on axios:
axios/axios#6164
axios/axios#6166

Steps to Reproduce

  • Install latest twilio-node dependency
  • Run snyk security scan

Code Snippet

snyk test --all-projects

Exception/Log

Issues to fix by upgrading:

  Upgrade axios@1.6.0 to axios@1.6.3 to fix
  ✗ Regular Expression Denial of Service (ReDoS) (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-AXIOS-6124857] in axios@1.6.0
    introduced by axios@1.6.0 and 1 other path(s)


Issues with no direct upgrade or patch:
  ✗ Improper Input Validation [High Severity][https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137] in follow-redirects@1.15.2
    introduced by axios@1.6.0 > follow-redirects@1.15.2 and 1 other path(s)
  This issue was fixed in versions: 1.15.4

Technical details:

  • twilio-node version: 4.20.0
  • node version: 18.16.0
@tiwarishubham635
Copy link
Contributor

Resolved by #993

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lilfaf @tiwarishubham635