Dependabot alert for node-forge vulnerability (CVE-2022-24773) #10833

mabubakar2 · 2024-04-29T06:19:01Z

mabubakar2
Apr 29, 2024

Hi everyone,

I'm encountering a Dependabot alert for a vulnerability in the node-forge package used by @vue/cli-service. This vulnerability can potentially allow for RSA signature forgery under certain conditions.

Details:

Vulnerable package: node-forge (versions below 1.3.0)
Impact: Improper verification of cryptographic signatures can lead to signature forgery.
Affected versions of @vue/cli-service: 4.5.17 (due to a transitive dependency on selfsigned)
References:
- CVE details: https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-2330875

The issue:
Dependabot is unable to update node-forge to a patched version (1.3.0 or later) due to a conflicting dependency with @vue/cli-service at version 4.5.17. Specifically, @vue/cli-service requires node-forge@^0.10.0 through a transitive dependency on selfsigned.

Questions:

Has anyone else encountered this specific issue with node-forge and @vue/cli-service?
Are there any known workarounds or solutions to address this vulnerability while using @vue/cli-service 4.5.17?
If upgrading node-forge is recommended, is there a timeline for when a compatible, patched version of @vue/cli-service might be available?

Thank you!

Answered by jacekkarczmarczyk

Apr 29, 2024

Maybe something like yarn resolutions (or equivalent in other package managers). In the worst case you could clone vue cli and patch it yourself. If you don't want to chnage the tool you can also consider upgrading vue cli to 5

View full answer

jacekkarczmarczyk · 2024-04-29T06:21:26Z

jacekkarczmarczyk
Apr 29, 2024

is there a timeline for when a compatible, patched version of @vue/cli-service might be available?

Vue CLI is not maintained any longer

3 replies

mabubakar2 Apr 29, 2024
Author

Thanks for letting me know that Vue CLI is no longer under active maintenance. That's definitely something to consider. While a permanent solution might involve migrating to a different CLI tool, do you happen to know of any workarounds for the specific node-forge vulnerability in the context of using Vue CLI 4.5.17? Perhaps there's a way to manually patch the dependency or implement a mitigation strategy until a compatible, patched version of another package becomes available?

jacekkarczmarczyk Apr 29, 2024

Maybe something like yarn resolutions (or equivalent in other package managers). In the worst case you could clone vue cli and patch it yourself. If you don't want to chnage the tool you can also consider upgrading vue cli to 5

Answer selected by mabubakar2

mabubakar2 May 2, 2024
Author

Legend @jacekkarczmarczyk! Thanks heaps, yarn resolution solved the issue!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependabot alert for node-forge vulnerability (CVE-2022-24773) #10833

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Dependabot alert for node-forge vulnerability (CVE-2022-24773) #10833

mabubakar2 Apr 29, 2024

Replies: 1 comment · 3 replies

jacekkarczmarczyk Apr 29, 2024

mabubakar2 Apr 29, 2024 Author

jacekkarczmarczyk Apr 29, 2024

mabubakar2 May 2, 2024 Author

mabubakar2
Apr 29, 2024

Replies: 1 comment 3 replies

jacekkarczmarczyk
Apr 29, 2024

mabubakar2 Apr 29, 2024
Author

mabubakar2 May 2, 2024
Author