Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 17:07:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 22
argo-cd/docs/snyk/v2.14.17/argocd-test.html
github-actions[bot] 1680134dc2
[Bot] docs: Update Snyk report (#24552) 
Signed-off-by: CI <ci@argoproj.com>
Co-authored-by: CI <ci@argoproj.com>
Co-authored-by: rumstead <37445536+rumstead@users.noreply.github.com>
2025-09-15 14:00:28 +00:00

2519 lines
127 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
<meta http-equiv="Content-Language" content="en-us">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="15 known vulnerabilities found in 60 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
<link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico">
<style type="text/css">
body {
-moz-font-feature-settings: "pnum";
-webkit-font-feature-settings: "pnum";
font-variant-numeric: proportional-nums;
display: flex;
flex-direction: column;
font-feature-settings: "pnum";
font-size: 100%;
line-height: 1.5;
min-height: 100vh;
-webkit-text-size-adjust: 100%;
margin: 0;
padding: 0;
background-color: #F5F5F5;
font-family: 'Arial', 'Helvetica', Calibri, sans-serif;
}
h1,
h2,
h3,
h4,
h5,
h6 {
font-weight: 500;
}
a,
a:link,
a:visited {
border-bottom: 1px solid #4b45a9;
text-decoration: none;
color: #4b45a9;
}
a:hover,
a:focus,
a:active {
border-bottom: 1px solid #4b45a9;
}
hr {
border: none;
margin: 1em 0;
border-top: 1px solid #c5c5c5;
}
ul {
padding: 0 1em;
margin: 1em 0;
}
code {
background-color: #EEE;
color: #333;
padding: 0.25em 0.5em;
border-radius: 0.25em;
}
pre {
background-color: #333;
font-family: monospace;
padding: 0.5em 1em 0.75em;
border-radius: 0.25em;
font-size: 14px;
}
pre code {
padding: 0;
background-color: transparent;
color: #fff;
}
a code {
border-radius: .125rem .125rem 0 0;
padding-bottom: 0;
color: #4b45a9;
}
a[href^="http://"]:after,
a[href^="https://"]:after {
background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E");
background-repeat: no-repeat;
background-size: .75rem;
content: "";
display: inline-block;
height: .75rem;
margin-left: .25rem;
width: .75rem;
}
/* Layout */
[class*=layout-container] {
margin: 0 auto;
max-width: 71.25em;
padding: 1.9em 1.3em;
position: relative;
}
.layout-container--short {
padding-top: 0;
padding-bottom: 0;
max-width: 48.75em;
}
.layout-container--short:after {
display: block;
content: "";
clear: both;
}
/* Header */
.header {
padding-bottom: 1px;
}
.paths {
margin-left: 8px;
}
.header-wrap {
display: flex;
flex-direction: row;
justify-content: space-between;
padding-top: 2em;
}
.project__header {
background-color: #030328;
color: #fff;
margin-bottom: -1px;
padding-top: 1em;
padding-bottom: 0.25em;
border-bottom: 2px solid #BBB;
}
.project__header__title {
overflow-wrap: break-word;
word-wrap: break-word;
word-break: break-all;
margin-bottom: .1em;
margin-top: 0;
}
.timestamp {
float: right;
clear: none;
margin-bottom: 0;
}
.meta-counts {
clear: both;
display: block;
flex-wrap: wrap;
justify-content: space-between;
margin: 0 0 1.5em;
color: #fff;
clear: both;
font-size: 1.1em;
}
.meta-count {
display: block;
flex-basis: 100%;
margin: 0 1em 1em 0;
float: left;
padding-right: 1em;
border-right: 2px solid #fff;
}
.meta-count:last-child {
border-right: 0;
padding-right: 0;
margin-right: 0;
}
/* Card */
.card {
background-color: #fff;
border: 1px solid #c5c5c5;
border-radius: .25rem;
margin: 0 0 2em 0;
position: relative;
min-height: 40px;
padding: 1.5em;
}
.card__labels {
position: absolute;
top: 1.1em;
left: 0;
display: flex;
align-items: center;
gap: 8px;
}
.card .label {
background-color: #767676;
border: 2px solid #767676;
color: white;
padding: 0.25rem 0.75rem;
font-size: 0.875rem;
text-transform: uppercase;
display: inline-block;
margin: 0;
border-radius: 0.25rem;
}
.card .label__text {
vertical-align: text-top;
font-weight: bold;
}
.card .label--critical {
background-color: #AB1A1A;
border-color: #AB1A1A;
}
.card .label--high {
background-color: #CE5019;
border-color: #CE5019;
}
.card .label--medium {
background-color: #D68000;
border-color: #D68000;
}
.card .label--low {
background-color: #88879E;
border-color: #88879E;
}
.severity--low {
border-color: #88879E;
}
.severity--medium {
border-color: #D68000;
}
.severity--high {
border-color: #CE5019;
}
.severity--critical {
border-color: #AB1A1A;
}
.card--vuln {
padding-top: 4em;
}
.card--vuln .card__labels > .label:first-child {
padding-left: 1.9em;
padding-right: 1.9em;
border-radius: 0 0.25rem 0.25rem 0;
}
.card--vuln .card__section h2 {
font-size: 22px;
margin-bottom: 0.5em;
}
.card--vuln .card__section p {
margin: 0 0 0.5em 0;
}
.card--vuln .card__meta {
padding: 0 0 0 1em;
margin: 0;
font-size: 1.1em;
}
.card .card__meta__paths {
font-size: 0.9em;
}
.card--vuln .card__title {
font-size: 28px;
margin-top: 0;
margin-right: 100px; /* Ensure space for the risk score */
}
.card--vuln .card__cta p {
margin: 0;
text-align: right;
}
.risk-score-display {
position: absolute;
top: 1.5em;
right: 1.5em;
text-align: right;
z-index: 10;
}
.risk-score-display__label {
font-size: 0.7em;
font-weight: bold;
color: #586069;
text-transform: uppercase;
line-height: 1;
margin-bottom: 3px;
}
.risk-score-display__value {
font-size: 1.9em;
font-weight: 600;
color: #24292e;
line-height: 1;
}
.source-panel {
clear: both;
display: flex;
justify-content: flex-start;
flex-direction: column;
align-items: flex-start;
padding: 0.5em 0;
width: fit-content;
}
</style>
<style type="text/css">
.metatable {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
margin: 0;
outline: none;
padding: 0;
text-align: left;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
margin-top: 12px;
border-collapse: collapse;
border-spacing: 0;
font-variant-numeric: tabular-nums;
max-width: 51.75em;
}
tbody {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
margin: 0;
outline: none;
padding: 0;
text-align: left;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
display: flex;
flex-wrap: wrap;
}
.meta-row {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
outline: none;
text-align: left;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
display: flex;
align-items: start;
border-top: 1px solid #d3d3d9;
padding: 8px 0 0 0;
border-bottom: none;
margin: 8px;
width: 47.75%;
}
.meta-row-label {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
color: #4c4a73;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
margin: 0;
outline: none;
text-decoration: none;
z-index: auto;
align-self: start;
flex: 1;
font-size: 1rem;
line-height: 1.5rem;
padding: 0;
text-align: left;
vertical-align: top;
text-transform: none;
letter-spacing: 0;
}
.meta-row-value {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
word-break: break-word;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
margin: 0;
outline: none;
padding: 0;
text-align: right;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
}
</style>
</head>
<body class="section-projects">
<main class="layout-stacked">
<div class="layout-stacked__header header">
<header class="project__header">
<div class="layout-container">
<a class="brand" href="https://snyk.io" title="Snyk">
<svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img">
<title>Snyk - Open Source Security</title>
<g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g fill="#fff">
<path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path>
</g>
</g>
</svg>
</a>
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">September 14th 2025, 12:29:44 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
<ul>
<li class="paths">/argo-cd/argoproj/argo-cd/v2/go.mod (gomodules)</li>
<li class="paths">/argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)</li>
<li class="paths">/argo-cd/ui/yarn.lock (yarn)</li>
</ul>
</div>
<div class="meta-counts">
<div class="meta-count"><span>15</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>60 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2092</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
</header><!-- .project__header -->
</div><!-- .layout-stacked__header -->
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">Predictable Value Range from Previous Values</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow"></span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:
form-data
</li>
<li class="card__meta__item">Introduced through:
argo-cd-ui@1.0.0, superagent@8.1.2 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
superagent@8.1.2
<span class="list-paths__item__arrow"></span>
form-data@4.0.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the <code>boundary</code> value, which uses <code>Math.random()</code>. An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>form-data</code> to version 2.5.4, 3.0.4, 4.0.4 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0">GitHub Commit</a></li>
<li><a href="https://github.com/form-data/form-data/commit/b88316c94bb004323669cd3639dc8bb8262539eb">GitHub Commit</a></li>
<li><a href="https://github.com/form-data/form-data/commit/c6ced61d4fae8f617ee2fd692133ed87baa5d0fd">GitHub Commit</a></li>
<li><a href="https://github.com/benweissmann/CVE-2025-7783-poc">POC</a></li>
<li><a href="https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347">Vulnerable Code</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-FORMDATA-10841150">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--high">
<span class="label__text">high severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
golang.org/x/oauth2/jws
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, golang.org/x/oauth2/google@0.24.0 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jwt@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jwt@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jwt@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jwt@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jwt@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
google.golang.org/api/chat/v1@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/transport/http@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/option@0.171.0
<span class="list-paths__item__arrow"></span>
google.golang.org/api/internal@0.171.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/google@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jwt@0.24.0
<span class="list-paths__item__arrow"></span>
golang.org/x/oauth2/jws@0.24.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>golang.org/x/oauth2/jws</code> to version 0.27.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/golang/oauth2/commit/681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3">GitHub Commit</a></li>
<li><a href="https://github.com/lestrrat-go/jwx/commit/d0bb4610154d45b7dce7d706a8068ea72586d249">GitHub Commit</a></li>
<li><a href="https://github.com/golang/go/issues/71490">GitHub Issue</a></li>
<li><a href="https://github.com/lestrrat-go/jwx/pull/1308">GitHub PR</a></li>
<li><a href="https://pkg.go.dev/vuln/GO-2025-3488">Go Advisory</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">LGPL-3.0 license</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Module:
gopkg.in/retry.v1
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, github.com/Azure/kubelogin/pkg/token@0.1.6 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/Azure/kubelogin/pkg/token@0.1.6
<span class="list-paths__item__arrow"></span>
github.com/Azure/kubelogin/pkg/internal/token@0.1.6
<span class="list-paths__item__arrow"></span>
gopkg.in/retry.v1@1.0.3
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<p>LGPL-3.0 license</p>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">MPL-2.0 license</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Module:
github.com/r3labs/diff
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/r3labs/diff@1.1.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/r3labs/diff@1.1.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<p>MPL-2.0 license</p>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:MPL-2.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">MPL-2.0 license</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Module:
github.com/hashicorp/go-version
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
code.gitea.io/sdk/gitea@0.19.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-version@1.6.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<p>MPL-2.0 license</p>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">MPL-2.0 license</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Module:
github.com/hashicorp/go-retryablehttp
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.7
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.114.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<p>MPL-2.0 license</p>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">MPL-2.0 license</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Module:
github.com/hashicorp/go-cleanhttp
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.7 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.114.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/xanzy/go-gitlab@0.114.0
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/cmd@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/api@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/controller@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/subscriptions@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/argoproj/notifications-engine/pkg/services@#2fef5c9049fd
<span class="list-paths__item__arrow"></span>
github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-retryablehttp@0.7.7
<span class="list-paths__item__arrow"></span>
github.com/hashicorp/go-cleanhttp@0.5.2
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<p>MPL-2.0 license</p>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">MPL-2.0 license</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Module:
github.com/gosimple/slug
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/gosimple/slug@1.14.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<p>MPL-2.0 license</p>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
github.com/go-jose/go-jose/v4
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0, github.com/coreos/go-oidc/v3/oidc@3.11.0 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/coreos/go-oidc/v3/oidc@3.11.0
<span class="list-paths__item__arrow"></span>
github.com/go-jose/go-jose/v4@4.0.2
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p>
<h2 id="workaround">Workaround</h2>
<p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>github.com/go-jose/go-jose/v4</code> to version 4.0.5 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li>
<li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-8745975">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow"></span> go.mod
</li>
<li class="card__meta__item">
Package Manager: golang
</li>
<li class="card__meta__item">
Vulnerable module:
github.com/go-jose/go-jose/v3
</li>
<li class="card__meta__item">Introduced through:
github.com/argoproj/argo-cd/v2@0.0.0 and github.com/go-jose/go-jose/v3@3.0.3
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
github.com/argoproj/argo-cd/v2@0.0.0
<span class="list-paths__item__arrow"></span>
github.com/go-jose/go-jose/v3@3.0.3
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p>
<h2 id="workaround">Workaround</h2>
<p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>github.com/go-jose/go-jose/v3</code> to version 3.0.4 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li>
<li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-8754524">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow"></span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:
foundation-sites
</li>
<li class="card__meta__item">Introduced through:
argo-cd-ui@1.0.0 and foundation-sites@6.8.1
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
foundation-sites@6.8.1
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
argo-ui@1.0.0
<span class="list-paths__item__arrow"></span>
foundation-sites@6.8.1
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://github.com/zurb/foundation-sites">foundation-sites</a> is a responsive front-end framework</p>
<p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.</p>
<h2 id="poc">PoC</h2>
<pre><code>https://www.&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;
</code></pre>
<h2 id="details">Details</h2>
<p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p>
<p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren&#39;t very intuitive and can ultimately end up making it easy for attackers to take your site down.</p>
<p>Lets take the following regular expression as an example:</p>
<pre><code class="language-js">regex = /A(B|C+)+D/
</code></pre>
<p>This regular expression accomplishes the following:</p>
<ul>
<li><code>A</code> The string must start with the letter &#39;A&#39;</li>
<li><code>(B|C+)+</code> The string must then follow the letter A with either the letter &#39;B&#39; or some number of occurrences of the letter &#39;C&#39; (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li>
<li><code>D</code> Finally, we ensure this section of the string ends with a &#39;D&#39;</li>
</ul>
<p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p>
<p>It most cases, it doesn&#39;t take very long for a regex engine to find a match:</p>
<pre><code class="language-bash">$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD&quot;)&#39;
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX&quot;)&#39;
1.79s user 0.02s system 99% cpu 1.812 total
</code></pre>
<p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p>
<p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesnt match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p>
<p>Let&#39;s look at how our expression runs into this problem, using a shorter string: &quot;ACCCX&quot;. While it seems fairly straightforward, there are still four different ways that the engine could match those three C&#39;s:</p>
<ol>
<li>CCC</li>
<li>CC+C</li>
<li>C+CC</li>
<li>C+C+C.</li>
</ol>
<p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn&#39;t match.</p>
<p>From there, the number of steps the engine must use to validate a string just continues to grow.</p>
<table>
<thead>
<tr>
<th>String</th>
<th align="right">Number of C&#39;s</th>
<th align="right">Number of steps</th>
</tr>
</thead>
<tbody><tr>
<td>ACCCX</td>
<td align="right">3</td>
<td align="right">38</td>
</tr>
<tr>
<td>ACCCCX</td>
<td align="right">4</td>
<td align="right">71</td>
</tr>
<tr>
<td>ACCCCCX</td>
<td align="right">5</td>
<td align="right">136</td>
</tr>
<tr>
<td>ACCCCCCCCCCCCCCX</td>
<td align="right">14</td>
<td align="right">65,553</td>
</tr>
</tbody></table>
<p>By the time the string includes 14 C&#39;s, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p>
<h2 id="remediation">Remediation</h2>
<p>There is no fixed version for <code>foundation-sites</code>.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites">GitHub Advisory</a></li>
<li><a href="https://github.com/foundation/foundation-sites/issues/12180">GitHub Issue</a></li>
<li><a href="https://github.com/foundation/foundation-sites/blob/develop/js/foundation.abide.js#L864">Vulnerable Code</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-FOUNDATIONSITES-8310364">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow"></span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:
@babel/runtime
</li>
<li class="card__meta__item">Introduced through:
argo-cd-ui@1.0.0, history@4.10.1 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
history@4.10.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
argo-ui@1.0.0
<span class="list-paths__item__arrow"></span>
history@4.10.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-router@4.3.1
<span class="list-paths__item__arrow"></span>
history@4.10.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-router-dom@4.3.1
<span class="list-paths__item__arrow"></span>
history@4.10.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-form@2.16.3
<span class="list-paths__item__arrow"></span>
react-redux@5.1.2
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-form@2.16.3
<span class="list-paths__item__arrow"></span>
react-redux@5.1.2
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-router-dom@4.3.1
<span class="list-paths__item__arrow"></span>
react-router@4.3.1
<span class="list-paths__item__arrow"></span>
history@4.10.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
argo-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-router-dom@4.3.1
<span class="list-paths__item__arrow"></span>
history@4.10.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
argo-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-form@2.16.3
<span class="list-paths__item__arrow"></span>
react-redux@5.1.2
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
argo-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-form@2.16.3
<span class="list-paths__item__arrow"></span>
react-redux@5.1.2
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
argo-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-router-dom@4.3.1
<span class="list-paths__item__arrow"></span>
react-router@4.3.1
<span class="list-paths__item__arrow"></span>
history@4.10.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.14.6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
date-fns@2.30.0
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.21.5
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-virtualized@9.22.3
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.20.13
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
react-virtualized@9.22.3
<span class="list-paths__item__arrow"></span>
dom-helpers@5.2.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.20.13
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
redoc@2.4.0
<span class="list-paths__item__arrow"></span>
polished@4.3.1
<span class="list-paths__item__arrow"></span>
@babel/runtime@7.26.9
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>replace()</code> method in <code>wrapRegExp.js</code>. An attacker can cause degradation in performance by supplying input strings that exploit the quadratic complexity of the replacement algorithm. </p>
<p>This is only exploitable when all of the following conditions are met: </p>
<ol>
<li><p>The code passes untrusted strings in the second argument to <code>.replace()</code>.</p>
</li>
<li><p>The compiled regular expressions being applied contain named capture groups.</p>
</li>
</ol>
<p>In the case of <code>@babel/preset-env</code>, if the <code>targets</code> option is in use the application will be vulnerable under either of the following conditions:</p>
<ol>
<li><p>A browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10 is used when processing named capture groups.</p>
</li>
<li><p>A browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23 is used when processing duplicated named capture groups.</p>
</li>
</ol>
<p><strong>Note:</strong> The project maintainers advise that &quot;just updating your Babel dependencies is not enough: you will also need to re-compile your code.&quot;</p>
<h2 id="workaround">Workaround</h2>
<p> This vulnerability can be avoided by filtering out input containing a <code>$&lt;</code> that is not followed by a <code>&gt;</code>.</p>
<h2 id="details">Details</h2>
<p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p>
<p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren&#39;t very intuitive and can ultimately end up making it easy for attackers to take your site down.</p>
<p>Lets take the following regular expression as an example:</p>
<pre><code class="language-js">regex = /A(B|C+)+D/
</code></pre>
<p>This regular expression accomplishes the following:</p>
<ul>
<li><code>A</code> The string must start with the letter &#39;A&#39;</li>
<li><code>(B|C+)+</code> The string must then follow the letter A with either the letter &#39;B&#39; or some number of occurrences of the letter &#39;C&#39; (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li>
<li><code>D</code> Finally, we ensure this section of the string ends with a &#39;D&#39;</li>
</ul>
<p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p>
<p>It most cases, it doesn&#39;t take very long for a regex engine to find a match:</p>
<pre><code class="language-bash">$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD&quot;)&#39;
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX&quot;)&#39;
1.79s user 0.02s system 99% cpu 1.812 total
</code></pre>
<p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p>
<p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesnt match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p>
<p>Let&#39;s look at how our expression runs into this problem, using a shorter string: &quot;ACCCX&quot;. While it seems fairly straightforward, there are still four different ways that the engine could match those three C&#39;s:</p>
<ol>
<li>CCC</li>
<li>CC+C</li>
<li>C+CC</li>
<li>C+C+C.</li>
</ol>
<p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn&#39;t match.</p>
<p>From there, the number of steps the engine must use to validate a string just continues to grow.</p>
<table>
<thead>
<tr>
<th>String</th>
<th align="right">Number of C&#39;s</th>
<th align="right">Number of steps</th>
</tr>
</thead>
<tbody><tr>
<td>ACCCX</td>
<td align="right">3</td>
<td align="right">38</td>
</tr>
<tr>
<td>ACCCCX</td>
<td align="right">4</td>
<td align="right">71</td>
</tr>
<tr>
<td>ACCCCCX</td>
<td align="right">5</td>
<td align="right">136</td>
</tr>
<tr>
<td>ACCCCCCCCCCCCCCX</td>
<td align="right">14</td>
<td align="right">65,553</td>
</tr>
</tbody></table>
<p>By the time the string includes 14 C&#39;s, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>@babel/runtime</code> to version 7.26.10, 8.0.0-alpha.17 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4">GitHub Commit</a></li>
<li><a href="https://gist.github.com/mmmsssttt404/1f066ed9237f514714f2cc022d631838">GitHub Gist</a></li>
<li><a href="https://github.com/babel/babel/pull/17173">GitHub PR</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-BABELRUNTIME-10044504">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low">
<h2 class="card__title">Arbitrary Code Injection</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--low">
<span class="label__text">low severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow"></span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:
prismjs
</li>
<li class="card__meta__item">Introduced through:
argo-cd-ui@1.0.0, redoc@2.4.0 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
redoc@2.4.0
<span class="list-paths__item__arrow"></span>
prismjs@1.29.0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="http://prismjs.com/">prismjs</a> is a lightweight, robust, elegant syntax highlighting library.</p>
<p>Affected versions of this package are vulnerable to Arbitrary Code Injection via the <code>document.currentScript</code> lookup process. An attacker can manipulate the web page content and execute unintended actions by injecting HTML elements that overshadow legitimate DOM elements.</p>
<p><strong>Note:</strong></p>
<p>This is only exploitable if the application accepts untrusted input containing HTML but not direct JavaScript.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>prismjs</code> to version 1.30.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d">GitHub Commit</a></li>
<li><a href="https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660">GitHub Gist</a></li>
<li><a href="https://github.com/PrismJS/prism/pull/3863">GitHub PR</a></li>
<li><a href="https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259">Vulnerable Code</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-PRISMJS-9055448">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low">
<h2 class="card__title">Insecure Randomness</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--low">
<span class="label__text">low severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow"></span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:
formidable
</li>
<li class="card__meta__item">Introduced through:
argo-cd-ui@1.0.0, superagent@8.1.2 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
superagent@8.1.2
<span class="list-paths__item__arrow"></span>
formidable@2.1.2
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Insecure Randomness due to its use of the <code>hexoid()</code> function in the generation of fingerprint IDs.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>formidable</code> to version 2.1.3, 3.5.3 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5">GitHub Commit</a></li>
<li><a href="https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md">Vulnerability Report</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-FORMIDABLE-9788127">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low">
<h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2>
<div class="card__section">
<div class="card__labels">
<div class="label label--low">
<span class="label__text">low severity</span>
</div>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow"></span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:
brace-expansion
</li>
<li class="card__meta__item">Introduced through:
argo-cd-ui@1.0.0, minimatch@3.1.2 and others
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
minimatch@3.1.2
<span class="list-paths__item__arrow"></span>
brace-expansion@1.1.11
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow"></span>
redoc@2.4.0
<span class="list-paths__item__arrow"></span>
@redocly/openapi-core@1.30.0
<span class="list-paths__item__arrow"></span>
minimatch@5.1.6
<span class="list-paths__item__arrow"></span>
brace-expansion@2.0.1
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p>
<p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>expand()</code> function, which is prone to catastrophic backtracking on very long malicious inputs.</p>
<h2 id="poc">PoC</h2>
<pre><code class="language-js">import index from &quot;./index.js&quot;;
let str = &quot;{a}&quot; + &quot;,&quot;.repeat(100000) + &quot;\u0000&quot;;
let startTime = performance.now();
const result = index(str);
let endTime = performance.now();
let timeTaken = endTime - startTime;
console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`);
</code></pre>
<h2 id="details">Details</h2>
<p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p>
<p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren&#39;t very intuitive and can ultimately end up making it easy for attackers to take your site down.</p>
<p>Lets take the following regular expression as an example:</p>
<pre><code class="language-js">regex = /A(B|C+)+D/
</code></pre>
<p>This regular expression accomplishes the following:</p>
<ul>
<li><code>A</code> The string must start with the letter &#39;A&#39;</li>
<li><code>(B|C+)+</code> The string must then follow the letter A with either the letter &#39;B&#39; or some number of occurrences of the letter &#39;C&#39; (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li>
<li><code>D</code> Finally, we ensure this section of the string ends with a &#39;D&#39;</li>
</ul>
<p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p>
<p>It most cases, it doesn&#39;t take very long for a regex engine to find a match:</p>
<pre><code class="language-bash">$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD&quot;)&#39;
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e &#39;/A(B|C+)+D/.test(&quot;ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX&quot;)&#39;
1.79s user 0.02s system 99% cpu 1.812 total
</code></pre>
<p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p>
<p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesnt match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p>
<p>Let&#39;s look at how our expression runs into this problem, using a shorter string: &quot;ACCCX&quot;. While it seems fairly straightforward, there are still four different ways that the engine could match those three C&#39;s:</p>
<ol>
<li>CCC</li>
<li>CC+C</li>
<li>C+CC</li>
<li>C+C+C.</li>
</ol>
<p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn&#39;t match.</p>
<p>From there, the number of steps the engine must use to validate a string just continues to grow.</p>
<table>
<thead>
<tr>
<th>String</th>
<th align="right">Number of C&#39;s</th>
<th align="right">Number of steps</th>
</tr>
</thead>
<tbody><tr>
<td>ACCCX</td>
<td align="right">3</td>
<td align="right">38</td>
</tr>
<tr>
<td>ACCCCX</td>
<td align="right">4</td>
<td align="right">71</td>
</tr>
<tr>
<td>ACCCCCX</td>
<td align="right">5</td>
<td align="right">136</td>
</tr>
<tr>
<td>ACCCCCCCCCCCCCCX</td>
<td align="right">14</td>
<td align="right">65,553</td>
</tr>
</tbody></table>
<p>By the time the string includes 14 C&#39;s, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>brace-expansion</code> to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/advisories/GHSA-v6h2-p8h4-qcjw">GitHub Advisory</a></li>
<li><a href="https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2">GitHub Commit</a></li>
<li><a href="https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466">GitHub Gist</a></li>
<li><a href="https://github.com/juliangruber/brace-expansion/pull/65">GitHub PR</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
</div><!-- cards -->
</div>
</main><!-- .layout-stacked__content -->
</body>
</html>
Reference in a new issue View git blame Copy permalink