Vulnerability in semver about apm-nodejs-http-client HOT 1 CLOSED

Hi @opravil-jan

we've already checked and discussed internally this vuln, here is the observations we got from the review:

• The min supported node is v10 for semver@7. Currently the only "fixed" version of semver is v7.5.2.
• node-semver doesn't have maintenance branches currently for doing updated v6 or v5 releases. There is a user request on the public node-semver pull above about getting fixed releases of semver@5 (and/or presumably semver@6).
• elastic/apm-agent-nodejs is currently using semver@6 and cannot use semver@7 because it supports back to node v8.6.0.
  The vuln is when untrusted input is given to semver.Range, also indirectly used by semver.satisfies(ver, range).
• From the PR fixing the issue, it looks like they guard against version strings provided as well, so any new semver.SemVer(verString) usage as well -- which is basically all semver API usage. However, the latest semver@5, semver@6, and semver@7 all have a guard on the max version string being less than 256 chars. My guess is this is why the vuln description is limited to input to new Range.
• While apm-agent-nodejs' runtime code (everything under "lib/...") uses semver.satisfies() heavily, every usage uses a hardcoded static string for the range argument. I.e. there is no untrusted user input involved.

Our conclusion was: apm-agent-nodejs.git (and the apm-nodejs-http-client.git it uses) are not affected by this issue. Also note that we expect to drop support for older node versions such that we can upgrade to the latest semver@7.

It looks like very recently (3 days ago) they started the a backport to v6. If is finally done we will upgrade to include the fix although the agent is not affected.

Cheers

from apm-nodejs-http-client.