Recent fast-xml-parser vulnerability now shows dozens of high severity vulnerabilities during npm install
#6331
Comments
purplepenguin42
added
bug
|
Ignore the exact number (18), it'll vary depending on which modules you're installing. $ npm install @aws-sdk/[email protected]
added 90 packages, and audited 91 packages in 1s
2 packages are looking for funding
run `npm fund` for details
13 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details. |
purplepenguin42
changed the title
npm installnpm install
|
Having the same issue with our:
Updating to latest versions did not help since the fast-xml-parser version is still 4.2.5 which needs to be upgraded to 4.4.1 |
|
See #6330 |
|
@seriousme is there a timeline for a release of fixed version? |
|
I don't know, I don't work for Amazon. |
|
@kiarash-malekzadeh have you found any sol for @AWS-SDK and all |
|
@trivikr is there a timeline for a release of fixed version? |
|
I'm also having a dozen of vulnerabilities' |
The new version https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.621.0 with updated version of fast-xml-parser is expected to release around 12:30 PM Pacific today (Tue, July 30th) |
|
@trivikr thanks! Quick question, why do you pin the dependencies version in |
We pin third-party dependencies in Imagine a scenario where This issue is difficult to triage since it happens when bad version is released in a third-party dependency. After triaging, the immediate fix also requires a code change in application, like pinning the third-party dependency version in package.json overrides. This fix is expensive as it requires commit+review+build+deploy in application code and we also need to educate the application maintainers. The most popular XML based protocol client, i.e. @aws-sdk/client-s3, has 6M+ downloads per week. So you can imagine how bad that can be. On other hand, when there's "security vulnerability" in XML parsing like this case, your AWS applications are actually NOT impacted. This is because the SDK parses XML content only from trusted sources, i.e. responses from AWS servers. These responses are also obtained over HTTPS by default, so there's no possibility of PITM attack to change the response. We recognize that these security advisories nonetheless cause build failures and auditing issues, and we provide a timely response. Your AWS applications are still safe with older versions of fast-xml-parser with vulnerability in XML parsing. But if you or your team is worried about vulnerability report, just update to the latest version. New latest version usually gets published within 24 hours, like https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.621.0 will publish around 12:30 PM Pacific today. But we can also also publish it out of window, if there's a real issue in the SDK. |
trivikr
added
p1
|
Do you know if this fix will also be released simultaneously for sdk v2 ? |
The AWS SDK for JavaScript (v2) does NOT have a direct/transient dependency on fast-xml-parser It can be verified by installing the SDK in a new folder as follows: $ test-deps> npm init -y
$ test-deps> npm install aws-sdk
$ test-deps> npm why aws-sdk
[email protected]
node_modules/aws-sdk
aws-sdk@"^2.1664.0" from the root project
$ test-deps> npm why fast-xml-parser |
|
We encountered this on our project today. Somehow 3.620.1 did not fix for us, so we had to use "overrides": {
"@aws-sdk/client-s3": {
"fast-xml-parser": "4.4.1",
"@aws-sdk/client-sts": {
"fast-xml-parser": "4.4.1"
}
}
}, |
The fix is going to be published in Details in prior comment #6331 (comment) |
kuhe
added
pending-release
This isn't how pinning works, mainly because you can't actually pin a dependency tree. You're pinning the top-level dependencies, but all of the transitive dependencies still freely update based on semver ranges. The reality is the current design is basically the worst of both worlds, you still aren't pinning most of the SDK's actual dependencies but you are pinning a handful, which makes it impossible for these issues to simply be non-issues by letting consumers run a fresh install. Put another way, the current approach is like closing one window in a house, while leaving all the other windows and doors open, and then thinking you're safer because you closed that one window, when in reality it has no real effect on anything. |
@purplepenguin42 I tried my best to explain the issue in a concise way in the comment #6331 (comment) providing specific examples on how failures can happen in both cases, and the cost of fixing them. I also didn't use some any analogy to put it in another way. Can you create a feature request and provide a minimal repro on how a bad update in third-party dependency, like That way, we keep this issue specific to [email protected] update, and not digress. |
|
What I'm trying to get across is you aren't doing what you actually think you are doing. Yes, you can pin For example, The point I'm trying to make is pinning tl;dr - you pinning a handful of dependencies does more harm than good; you are only preventing "bad updates" to a tiny percentage of the SDK's overall dependencies, while at the same time preventing people from easily using the latest versions, and instead forcing users to rely on manual releases from the SDK in situations like this. Regardless, I won't comment any further on this thread. Feel free to make another tracking issue, but it doesn't appear the SDK team actually understands how their own system currently works, which is a bit scary. |
|
The @aws-sdk/[email protected] was published at 12:19 PM Pacific $ npm view @aws-sdk/client-s3 time --json | grep 3.621.0
"3.621.0": "2024-07-30T19:19:32.730Z"I verified that it includes $ test-deps> npm init -y
$ test-deps> npm install @aws-sdk/[email protected] --save-exact
$ test-deps> npm why fast-xml-parser | grep fast-xml-parser
[email protected]
node_modules/fast-xml-parser
fast-xml-parser@"4.4.1" from @aws-sdk/[email protected]If you're blocked on this vulnerability report, please upgrade your SDK version to |
trivikr
removed
the
pending-release
|
Hello, can confirm 3.621.0 fixes the vulnerability on my dependency tree. Thank you! |
|
@trivikr Still having the 4.2.5 dependency under this in package-lock.json: Is there anything else that should be updated besides @aws-sdk/client-s3 and aws-sdk? Please note that we have not installed the @aws-sdk/client-sts and it does not exist in package.json. |
Update all your You've only provided a subset of your lockfile contains |
|
@trivikr We have only the following installed:
I think the dependencies of "aws-sdk" have not been updated. |
|
@trivikr This is what I get from npm audit: |
|
@kiarash-malekzadeh You can examine your lockfile by running From the logs, it looks like you have the following direct dependency "@aws-sdk/client-sts": "<=3.525.0", |
|
@trivikr Thanks for the help. Fixed the issue. |
|
@trivikr this is showing in my audit files fast-xml-parser <4.4.1
Severity: high
fast-xml-parser vulnerable to ReDOS at currency parsing - https://github.com/advisories/GHSA-mpg4-rc92-vx8v
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@aws-sdk/client-sts/node_modules/fast-xml-parser
@aws-sdk/client-sts <=3.525.0
Depends on vulnerable versions of fast-xml-parser
node_modules/@aws-sdk/client-sts
@aws-sdk/client-firehose 3.12.0 - 3.525.0
Depends on vulnerable versions of @aws-sdk/client-sts
node_modules/@aws-sdk/client-firehose
@aws-amplify/analytics >=7.0.0
Depends on vulnerable versions of @aws-sdk/client-firehose
Depends on vulnerable versions of @aws-sdk/client-kinesis
Depends on vulnerable versions of @aws-sdk/client-personalize-events
node_modules/@aws-amplify/analytics
aws-amplify >=6.0.0
Depends on vulnerable versions of @aws-amplify/analytics
node_modules/aws-amplify
@aws-amplify/ui <=0.0.0-theming-v2-f8422a3-20240627193426 || >=6.0.0
Depends on vulnerable versions of aws-amplify
node_modules/@aws-amplify/ui
@aws-amplify/ui-angular <=0.0.0-theming-v2-f8422a3-20240627193426 || >=5.0.0
Depends on vulnerable versions of @aws-amplify/ui
Depends on vulnerable versions of aws-amplify
node_modules/@aws-amplify/ui-angular
@aws-sdk/client-kinesis 3.12.0 - 3.525.0
Depends on vulnerable versions of @aws-sdk/client-sts
node_modules/@aws-sdk/client-kinesis
@aws-sdk/client-personalize-events 3.12.0 - 3.525.0
Depends on vulnerable versions of @aws-sdk/client-sts
node_modules/@aws-sdk/client-personalize-events |
|
@bhaveshj459 The answer is similar to one given in previous comment, and your console also shows |
|
@trivikr I have tried it but its not working for me also I have made an new angular application to make sure other deps are not causing this issue but found no difference. |
|
I'm getting the same thing.
I've tried resolving this but my dependencies show:
|
|
@jlove-dev The AWS SDK in your application is imported from Amplify. Please refer to aws-amplify/amplify-js#13670, for updates in |
|
Thank you @trivikr that really clears things up! |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
Checkboxes for prior research
Describe the bug
Related:
When running an
npm installwith latest versions of things like@aws-sdk/client-dynamodb,@aws-sdk/client-kms,@aws-sdk/client-lambda, etc. you are now greeted with a bold red text about 18 high severity vulnerabilities. I'm using the latest (i.e. published a few hours ago versions), and npm is still showing the warnings.Is there a timeline when the rest of the ecosystem will be updated? Previously (e.g. yesterday), the same install resulted in 0 warnings.
SDK version number
@aws-sdk/[email protected]
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v22.5.1
Reproduction Steps
Run
npm installwith any of the modular SDK packages on the latest version.Observed Behavior
A bunch of high severity vulnerability warnings.
Expected Behavior
No warnings.
Possible Solution
No response
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: