Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#CVE-2022-37620 in 1.10.3 ([email protected] dependency) #1092

Closed
TomaszG opened this issue Jan 12, 2024 · 3 comments
Closed

#CVE-2022-37620 in 1.10.3 ([email protected] dependency) #1092

TomaszG opened this issue Jan 12, 2024 · 3 comments

Comments

@TomaszG
Copy link

TomaszG commented Jan 12, 2024

Summary
ReDoS vulnerability has been found in [email protected], which is a transitive dependency of the mailer package.

Details
Vulnerability information: https://nvd.nist.gov/vuln/detail/CVE-2022-37620
mjml package ticket: mjmlio/mjml#2802
html-minifier package ticket: kangax/html-minifier#1135

Unfortunately, the latter one doesn't seem to be maintained anymore.

Dependency tree:

@nestjs-modules/mailer 1.10.3
└─┬ mjml 4.14.1
  ├─┬ mjml-cli 4.14.1
  │ ├── html-minifier 4.0.0
  │ └─┬ mjml-core 4.14.1
  │   └── html-minifier 4.0.0
  ├─┬ mjml-core 4.14.1
  │ └── html-minifier 4.0.0
  └─┬ mjml-preset-core 4.14.1
    ├─┬ mjml-accordion 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-body 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-button 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-carousel 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-column 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    ├─┬ mjml-divider 4.14.1
    │ └─┬ mjml-core 4.14.1
    │   └── html-minifier 4.0.0
    └─┬ mjml-group 4.14.1
      └─┬ mjml-core 4.14.1
        └── html-minifier 4.0.0
@juandav
Copy link
Member

juandav commented Feb 24, 2024

It should be resolved in mailer version 1.11.0. If there are any other issues, please do not hesitate to let me know

@juandav juandav closed this as completed Feb 24, 2024
@TomaszG
Copy link
Author

TomaszG commented Apr 22, 2024

@juandav, this is still valid in 1.11.2:

dependencies:
@nestjs-modules/mailer 1.11.2
└─┬ mjml 4.15.3
  ├─┬ mjml-cli 4.15.3
  │ ├── html-minifier 4.0.0
  │ └─┬ mjml-core 4.15.3
  │   └── html-minifier 4.0.0
  ├─┬ mjml-core 4.15.3
  │ └── html-minifier 4.0.0
  └─┬ mjml-preset-core 4.15.3
    ├─┬ mjml-accordion 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-body 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-button 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-carousel 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-column 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    ├─┬ mjml-divider 4.15.3
    │ └─┬ mjml-core 4.15.3
    │   └── html-minifier 4.0.0
    └─┬ mjml-group 4.15.3
      └─┬ mjml-core 4.15.3
        └── html-minifier 4.0.0

@sirmonin sirmonin mentioned this issue Apr 23, 2024
Merged
@sirmonin
Copy link

@juandav +1. Opened a pull request. I suggest moving the mjml into optional dependencies, since it is simply just an optional adapter

@LeshaZ LeshaZ mentioned this issue Jun 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TomaszG @juandav @sirmonin