Skip to content

[Bug]: Vulnerabilities in @modern-js/node-bundle-require due to the old esbuild dependency #6993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ardokirsipuu opened this issue Mar 30, 2025 · 5 comments
Open

[Bug]: Vulnerabilities in @modern-js/node-bundle-require due to the old esbuild dependency #6993

ardokirsipuu opened this issue Mar 30, 2025 · 5 comments
Assignees
@caohuilin
Labels
💉 bug Something isn't working

Comments

@ardokirsipuu
Copy link

Version

npmPackages:
    @modern-js/app-tools: 2.66.0 => 2.66.0
    @modern-js/runtime: 2.66.0 => 2.66.0
    @modern-js/tsconfig: 2.66.0 => 2.66.0

Details

@modern-js/node-bundle-require has a dependency esbuild version 0.17.19 (https://github.com/web-infra-dev/modern.js/blob/main/packages/toolkit/node-bundle-require/package.json#L56) which is many years old and has multiple security issues, one of them Critical. One of them is a vulnerability of the esbuild node package itself, while others are caused by its go binaries published under @esbuild/* namespace.

If the version is bumped to at least 0.25.1 then all of them will be fixed.

The vulnerabilities for the binaries come from the version of Go being used to build those binaries. Esbuild announces Go versions in use in their releases, e.g. "Update Go from 1.23.5 to 1.23.7" for release 0.25.1.

Output of a Trivy scan regarding esbuild binaries with version 0.17.19:

app-root/node_modules/@esbuild/linux-x64/bin/esbuild (gobinary)
===============================================================
Total: 24 (UNKNOWN: 0, LOW: 0, MEDIUM: 18, HIGH: 5, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ v1.20.4           │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-29403 │ HIGH     │        │                   │ 1.19.10, 1.20.5                  │ golang: runtime: unexpected behavior of setuid/setgid        │
│         │                │          │        │                   │                                  │ binaries                                                     │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-29403                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39325 │          │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│         │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│         │                │          │        │                   │                                  │ prefix as...                                                 │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34156 │          │        │                   │ 1.22.7, 1.23.1                   │ encoding/gob: golang: Calling Decoder.Decode on a message    │
│         │                │          │        │                   │                                  │ which contains deeply nested structures...                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34156                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-29406 │ MEDIUM   │        │                   │ 1.19.11, 1.20.6                  │ golang: net/http: insufficient sanitization of Host header   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-29406                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-29409 │          │        │                   │ 1.19.12, 1.20.7, 1.21.0-rc.4     │ golang: crypto/tls: slow verification of certificate chains  │
│         │                │          │        │                   │                                  │ containing large RSA keys                                    │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-29409                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39318 │          │        │                   │ 1.20.8, 1.21.1                   │ golang: html/template: improper handling of HTML-like        │
│         │                │          │        │                   │                                  │ comments within script contexts                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39318                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39319 │          │        │                   │                                  │ golang: html/template: improper handling of special tags     │
│         │                │          │        │                   │                                  │ within script contexts                                       │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39319                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39326 │          │        │                   │ 1.20.12, 1.21.5                  │ golang: net/http/internal: Denial of Service (DoS) via       │
│         │                │          │        │                   │                                  │ Resource Consumption via HTTP requests...                    │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39326                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45284 │          │        │                   │ 1.20.11, 1.21.4                  │ On Windows, The IsLocal function does not correctly detect   │
│         │                │          │        │                   │                                  │ reserved de ......                                           │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45284                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │          │        │                   │ 1.21.8, 1.22.1                   │ golang: net/http/cookiejar: incorrect forwarding of          │
│         │                │          │        │                   │                                  │ sensitive headers and cookies on HTTP redirect...            │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                                  │ golang: net/http: golang: mime/multipart: golang:            │
│         │                │          │        │                   │                                  │ net/textproto: memory exhaustion in                          │
│         │                │          │        │                   │                                  │ Request.ParseMultipartForm                                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                                  │ golang: crypto/x509: Verify panics on certificates with an   │
│         │                │          │        │                   │                                  │ unknown public key algorithm...                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                                  │ golang: net/mail: comments in display names are incorrectly  │
│         │                │          │        │                   │                                  │ handled                                                      │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                                  │ golang: html/template: errors returned from MarshalJSON      │
│         │                │          │        │                   │                                  │ methods may break template escaping                          │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24789 │          │        │                   │ 1.21.11, 1.22.4                  │ golang: archive/zip: Incorrect handling of certain ZIP files │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5                  │ net/http: Denial of service due to improper 100-continue     │
│         │                │          │        │                   │                                  │ handling in net/http                                         │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │          │        │                   │ 1.22.7, 1.23.1                   │ go/parser: golang: Calling any of the Parse functions        │
│         │                │          │        │                   │                                  │ containing deeply nested literals...                         │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34155                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                                  │ go/build/constraint: golang: Calling Parse on a "// +build"  │
│         │                │          │        │                   │                                  │ build tag line with...                                       │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34158                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45336 │          │        │                   │ 1.22.11, 1.23.5, 1.24.0-rc.2     │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                                  │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                                  │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                                  │ bypass URI name...                                           │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3     │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                                  │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Reproduce link

https://github.com/web-infra-dev/modern.js/blob/main/packages/toolkit/node-bundle-require/package.json#L56

Reproduce Steps

  1. Run mkdir myapp && cd myapp && npx @modern-js/create@latest (choose TS and npm)
  2. Run npm audit
  3. See the audit report: 
    esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
@ardokirsipuu ardokirsipuu added the 💉 bug Something isn't working label Mar 30, 2025
@caohuilin
Copy link
Member

Thank you for raising this issue and providing detailed information about the vulnerabilities in [email protected]. We understand the importance of keeping dependencies up-to-date to address security concerns. However, there is currently a constraint that prevents us from upgrading esbuild to the latest version.

Node.js 16 Compatibility
Modern.js still supports Node.js 16, which is a requirement for some of our users. Unfortunately, esbuild dropped support for Node.js 16 starting from version 0.22.0 (release notes). As a result, upgrading to [email protected] or later is not feasible at this time without breaking Node.js 16 compatibility.

Next Steps
We are actively monitoring the situation and plan to upgrade esbuild to a more recent version once Modern.js officially drops support for Node.js 16. This will allow us to address the reported vulnerabilities while maintaining compatibility with supported Node.js versions.

@ardokirsipuu
Copy link
Author

ardokirsipuu commented Mar 31, 2025
edited
Loading

Using Node.js 16 is insecure by itself, it's End-of-life from 2023 (link).

I think the default should be to use secure versions of dependencies (esbuild 0.25.1+), and if people want/need to use insecure technologies (EOL Node.js), then they can override eslint's version back to whatever <0.22.0 version as they wish (using package.json's overrides/resolutions section), no?

TL;DR I think out-of-the-box security is more important than out-of-the-box EOL Node.js support.

@DanielSchiavini
Copy link

DanielSchiavini commented Apr 1, 2025
edited
Loading

I've been able to fix the security issue by overriding esbuild in package.json

"overrides": {
    "esbuild": "0.25.2"
  },

Hoping that doesn't break anything

@caohuilin
Copy link
Member

We will officially end support for Node.js 16 on June 30, 2025, at which time we will upgrade the esbuild dependency to the latest version to address all the security vulnerabilities you've reported.

In the meantime, if you need to address these security issues immediately, you can use the temporary solution mentioned in the comments by overriding the esbuild version in your package.json:

"overrides": {
  "esbuild": "0.25.2"
}

We understand the importance of security concerns and appreciate the community's attention to the project's security. We are actively working on reducing our dependencies on these packages while ensuring a smooth transition to more secure solutions.

Thank you for your understanding and support.

@caohuilin caohuilin self-assigned this Apr 10, 2025
@Julien-Marcou Julien-Marcou mentioned this issue Apr 29, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@caohuilin caohuilin

Labels
💉 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DanielSchiavini @caohuilin @ardokirsipuu