node:14 CVE-2021-44906

Version

v14.19.1

Platform

Linux 4fda86bd07b1 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64 Linux

Subsystem

No response

What steps will reproduce the bug?

trivy i node:14 > CVE-2021-44906 listed against node-pkg
trivy i node:14-alpine > CVE-2021-44906 listed as the only HIGH vulnerability

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior?

trivy i node:14-alpine lists no HIGH severity vulnerabilites

What do you see instead?

trivy i node:14-alpine
2022-03-24T08:59:51.998Z	INFO	Detected OS: alpine
2022-03-24T08:59:51.999Z	INFO	Detecting Alpine vulnerabilities...
2022-03-24T08:59:52.001Z	INFO	Number of language-specific files: 1
2022-03-24T08:59:52.001Z	INFO	Detecting node-pkg vulnerabilities...

node:14-alpine (alpine 3.15.2)
==============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+---------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ansi-regex | CVE-2021-3807    | MEDIUM   | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular            |
|            |                  |          |                   |               | expression denial of service          |
|            |                  |          |                   |               | (ReDoS) matching ANSI escape codes    |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807  |
+            +                  +          +-------------------+               +                                       +
|            |                  |          | 4.1.0             |               |                                       |
|            |                  |          |                   |               |                                       |
|            |                  |          |                   |               |                                       |
|            |                  |          |                   |               |                                       |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| minimist   | CVE-2021-44906   | HIGH     | 1.2.5             | 1.2.6         | minimist: prototype pollution         |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-44906 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+

Additional information

No response

2 thoughts on “node:14 CVE-2021-44906

  1. This should remain closed.

    • The “vulnerability” is in npm, not Node.js.
    • It’s not actually a vulnerability, certainly not one that is realistically exploitable in this situation. (Please feel free to come up with a realistic description of how it might be exploited if you disagree. Unless someone is passing completely arbitrary arguments indiscriminately to npm, this is not going to affect anyone. And if someone is passing arguments indiscriminately to npm, then they have bigger problems.)
    • This is fixable with npm install -g npm.

    @nodejs/npm Please leave a comment if you disagree with anything I’ve written above. Also, are there any plans to update or remove minimist in any subsequent releases of npm version 6?

    @nodejs/releasers There’s no plan to update the npm version that is shipped with Node.js 14.x to something newer than version 6, is there?

  2. @nodejs/releasers There’s no plan to update the npm version that is shipped with Node.js 14.x to something newer than version 6, is there?

    No plans at this time. npm 7/8 had some edge case breaks from npm 6. We would, of course, consider any newer npm 6.x release for Node.js 14.x.

Comments are closed.