Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-46233 in crypto-js as part of @react-pdf/[email protected] #2447

Closed
JesseObrien opened this issue Nov 13, 2023 · 1 comment · Fixed by #2450
Closed

CVE-2023-46233 in crypto-js as part of @react-pdf/[email protected] #2447

JesseObrien opened this issue Nov 13, 2023 · 1 comment · Fixed by #2450

Comments

@JesseObrien
Copy link

The Bug
CVE-2023-46233 describes the PBKDF2 algorithm implemented in crypto-js prior to version 4.2.0 as being 1,000 times weaker according to the spec from 1993 and 1,300,000 weaker than the current industry standard.

To Reproduce
Steps to reproduce the behavior including code snippet (if applies):

  1. Install trivy via the installation docs
  2. Clone this repo into a folder on your local machine.
  3. Run trivy fs . inside that folder.
  4. See that crypto-js is installed at version 4.0.0 and is listed as a critical severity CVE.

Expected behavior
Expect crypto-js dependency to be upgraded within the pdfkit package to the latest version, 4.2.0.

Desktop (please complete the following information):

  • OS: OSX
  • Browser: N/A
  • React-pdf version: latest (3.0.2)
@strazto
Copy link
Contributor

strazto commented Nov 15, 2023
edited
Loading

TL;DR for concerned react-pdf users

If the only crypto-js dependency in your project's manifest is via react-pdf, you're safe enough to dismiss the dependabot alert as Vulnerable code is not actually used

A few comments regarding this:

  1. It causes dependabot (or whatever SCA tooling one might use) to raise a critical error for users of react-pdf, due to the crypto-js dependency
  2. Since it's such an easy fix, the maintainers of react-pdf should certainly update their version of crypto-js to the mitigated version, for everyones' sanity
  3. Important - Users of react-pdf can dismiss the dependabot warning
    • Per fix: import only md5 hash from crypto-js #1607 :
      • react-pdf only actually uses the md5 algorithm from crypto-js,
      • (I haven't thoroughly reviewed the rest of the codebase, but I assume md5 is used as a convenient hashing algorithm in a non security-critical context, and there's no reason to actually use PBKDF2 or any other crypto function )
      • so it's safe enough to assume the vulnerable algorithm is never actually used by react-pdf,
      • therefore, assuming the only dependency is via react-pdf's dependency, a project with react-pdf in its dependencies is not affected by this CVE,
      • The developer can dismiss the alert as Vulnerable code is not actually used

@strazto strazto mentioned this issue Nov 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: update crypto-js from 4.0.0 -> 4.2.0 [CVE-2023-46233] strazto/react-pdf
2 participants
@JesseObrien @strazto