Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A CVE is present in the dependency chain #2701

Open
jdubbwya opened this issue Dec 6, 2024 · 0 comments
Open

A CVE is present in the dependency chain #2701

jdubbwya opened this issue Dec 6, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@jdubbwya
Copy link

jdubbwya commented Dec 6, 2024

Description

When using the latest version of the sdk npm audit informs me that CVE-2024-37168] is present

Here is my output

@grpc/grpc-js  <1.8.22
Severity: moderate
@grpc/grpc-js can allocate memory for incoming messages well above configured limits - https://github.com/advisories/GHSA-7v5v-9h63-cj86
fix available via `npm audit fix --force`
Will install @hashgraph/[email protected], which is a breaking change
node_modules/@grpc/grpc-js
  @hashgraph/sdk  >=2.25.0
  Depends on vulnerable versions of @ethersproject/abi
  Depends on vulnerable versions of @grpc/grpc-js
  node_modules/@hashgraph/sdk

elliptic  <=6.5.7
Elliptic's EDDSA missing signature length check - https://github.com/advisories/GHSA-f7q4-pwc6-w24p
Elliptic's ECDSA missing check for whether leading bit of r and s is zero - https://github.com/advisories/GHSA-977x-g7h5-7qgw
Elliptic allows BER-encoded signatures - https://github.com/advisories/GHSA-49q7-c7j4-3p7m
Elliptic's verify function omits uniqueness validation - https://github.com/advisories/GHSA-434g-2637-qmqr
Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747
fix available via `npm audit fix --force`
Will install @hashgraph/[email protected], which is a breaking change
node_modules/elliptic
  @ethersproject/signing-key  <=5.7.0
  Depends on vulnerable versions of elliptic
  node_modules/@ethersproject/signing-key
    @ethersproject/transactions  <=5.7.0
    Depends on vulnerable versions of @ethersproject/signing-key
    node_modules/@ethersproject/transactions
      @ethersproject/abstract-provider  *
      Depends on vulnerable versions of @ethersproject/transactions
      node_modules/@ethersproject/abstract-provider
        @ethersproject/abstract-signer  *
        Depends on vulnerable versions of @ethersproject/abstract-provider
        node_modules/@ethersproject/abstract-signer
          @ethersproject/hash  5.0.6 - 5.7.0
          Depends on vulnerable versions of @ethersproject/abstract-signer
          node_modules/@ethersproject/hash
            @ethersproject/abi  5.0.10 - 5.7.0
            Depends on vulnerable versions of @ethersproject/hash
            node_modules/@ethersproject/abi

Steps to reproduce

  • Using npm Install @hashgraph/sdk: 2.54.2
  • Run npm audit

Additional context

Bug report states that it is true for >=2.25.0

Hedera network

No response

Version

2.54.2

Operating system

macOS

@jdubbwya jdubbwya added the bug Something isn't working label Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant