CVE-2021-27290 in `react-scripts` due to using old version of `webpack`

[alexross1988IBM]

Describe the bug

CVE-2021-27290

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Looking at https://github.com/facebook/create-react-app/blob/master/packages/react-scripts/package.json it pulls in webpack @ 4.44.2 which ends up with this tree:

  ┬ react-scripts@4.0.3
  ├─┬ terser-webpack-plugin@4.2.3
  │ └─┬ cacache@15.0.5
  │   └── ssri@8.0.1 
  └─┬ webpack@4.44.2
    └─┬ terser-webpack-plugin@1.4.5
      └─┬ cacache@12.0.4
        └── ssri@6.0.1 

Moving to the latest webpack currently 5.26.2 will fix this.

[candrews]

Issue reported to Webpack at webpack/webpack#12926

[vparames86]

How difficult is to move react-scripts to webpack 5?

[sgarza-ksm]

react-script to webpack 5 sounds like the move

[djmitche]

Webpack 5 is #9994. Looks like "very difficult" but in progress.

[yyfearth]

react-script to webpack 5 sounds like the move
Webpack 5 is #9994. Looks like "very difficult" but in progress.

Move to webpack 5 will be a major version update like CRA 5, which will cause breaking changes.

I think CRA definitely need to move, but may need more time.

So I think we should still upgrade these dependencies in CRA 4 if anyone have time to create a PR.

[nj314]

Per SNYK-JS-SSRI-1246392, this is resolved by bugfix releases 6.0.2 and 8.0.1 of ssri. Run npm upgrade or rebuild package-lock.json to pick up the latest bugfix versions automatically. While I too would love to see a webpack 5-compatible react-scripts, fixing this particular vuln can be done without a react-scripts release.

[thediveo]

any news on this, as grype is still detecting this one, even when resolving ssri to ^8.0.1?

[stale]

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.