Skip to content

[BUG] npm audit (security/advisories/bulk) inaccuracy #8125

New issue
New issue
Open
Open
[BUG] npm audit (security/advisories/bulk) inaccuracy#8125
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps
@benpbolton

Description

@benpbolton
benpbolton
opened on Feb 20, 2025

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

For complex (multiple major versioned) CVE ranges, https://registry.npmjs.org/-/npm/v1/security/advisories/bulk incorrectly 'simplifies' affected versions.

e.g. GHSA-rmvr-2pp2-xj38 via related: octokit/graphql.js#638

Expected Behavior

echo '{"@octokit/request":["8.4.1"]}' | gzip -c | curl -X POST \
           https://registry.npmjs.org/-/npm/v1/security/advisories/bulk \
           -H "Content-Type: application/json" \
           -H "Content-Encoding: gzip" \
           -H "Accept: application/json" \
           --data-binary @-

Should return an empty object {} (no vulnerabilities found))

Instead, it returns:

{
  "@octokit/request": [
    {
      "id": 1102260,
      "url": "https://github.com/advisories/GHSA-rmvr-2pp2-xj38",
      "title": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
      "severity": "moderate",
      "vulnerable_versions": ">=1.0.0 <9.2.1",
      "cwe": [
        "CWE-1333"
      ],
      "cvss": {
        "score": 5.3,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
      }
    }
  ]
}

Expanding the vulnerable version range without constraints around the vulnerable versions reported by GitHub:

curl -L \
           -H "Accept: application/vnd.github+json" \
           -H "X-GitHub-Api-Version: 2022-11-28" \
           https://api.github.com/advisories/GHSA-rmvr-2pp2-xj38 | jq '.vulnerabilities'

of

[
  {
    "package": {
      "ecosystem": "npm",
      "name": "@octokit/request"
    },
    "vulnerable_version_range": ">= 9.0.0-beta.1, < 9.2.1",
    "first_patched_version": "9.2.1",
    "vulnerable_functions": []
  },
  {
    "package": {
      "ecosystem": "npm",
      "name": "@octokit/request"
    },
    "vulnerable_version_range": ">= 1.0.0, < 8.4.1",
    "first_patched_version": "8.4.1",
    "vulnerable_functions": []
  }
]

Steps To Reproduce

e.g. for this specific CVE:

git clone [email protected]:octokit/graphql.js.git -b 7.x
cd graphql.js
npm audit --loglevel=silly

npm audit incorrectly reports 8.4.1 as a vulnerable version

Environment

  • npm: 11.1.0
  • Node.js: 22.14.0
  • OS Name: 15.3 (24D60)
  • System Model Name: Macbook Pro

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions