Snyk reports high risk severity for acorn in react-scripts

[w3bdesign]

Describe the bug

Snyk reports high severity issue with react-scripts. See details below:

Regular Expression Denial of Service (ReDoS)

Vulnerable module: acorn
Introduced through: [email protected]
Exploit maturity: No known exploit
Fixed in: 7.1.1

Detailed paths

Introduced through: [email protected] › [email protected] › [email protected] › [email protected]
Remediation: No remediation path available.
Introduced through: [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: No remediation path available.
Introduced through: [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: No remediation path available.

…and 14 more
Overview

acorn is a tiny, fast JavaScript parser written in JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via a regex in the form of /[x-\ud800]/u, which causes the parser to enter an infinite loop.

This string is not a valid UTF16 and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to acorn, will allow attackers to leverage the vulnerability leading to a Denial of Service.

Did you try recovering your dependencies?

Yes.

Please paste the output of npm --version and/or yarn --version to confirm.

6.13.7

Which terms did you search for in User Guide?

Not applicable.

Environment

Environment Info:

System:
OS: Windows 7 6.1.7601
CPU: (8) x64 Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
Binaries:
Node: 12.16.1 - C:\Program Files\nodejs\node.EXE
Yarn: 1.21.1 - C:\Program Files (x86)\Yarn x\bin\yarn.CMD
npm: 6.13.7 - C:\Program Files\nodejs\npm.CMD
Browsers:
Internet Explorer: 11.0.9600.19301
npmPackages:
react: ^16.13.0 => 16.13.0
react-dom: ^16.13.0 => 16.13.0
react-scripts: 3.4.0 => 3.4.0
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

Install new version of React.

(Write your steps here:)

1. npx create-react-app my-app
2. Test with Snyk.io

[nceight]

I also have the same issue

[BMD-518]

As do I! Feeling less lonely now

[SirMauri]

I also have this issue.
npm audit throws that the acorn vuln is patched in version >=7.1.1. I don't know if installing directly the acorn module to the latest version with npm install acorn@latest will solve it. Gonna give it a try and share my results.

[jakubkratina]

@SirMauri any results?

[bpedersen]

Setting resolutions in package.json is the better approach if using yarn as you don’t explicitly set a dependency on acorn in your project.

[dusty]

@bpedersen thanks for the recommendation, this clears the warnings in yarn audit.

  "resolutions": {
    "acorn": "^7.1.1"
  },

[BMD-518]

Adding the resolution worked. I came across this issue while working on a very small project using create-react-app. I'm pretty new to coding but I couldn't find a way to address this with npm. I just switched over to yarn but I'm still curious, what can be done about this in projects set up with node package manager?

[w3bdesign]

@dusty @bpedersen @BMD-518

It may remove the warning to manually set the resolution, but does it affect anything in the Create React App in any way? Like, any functionality?

[dusty]

I haven't noticed any build issues with the patched acorn.

[w3bdesign]

@dusty
And no visible bugs in any React apps?

[vanskins]

Are there fix for this ?

[jBraekke]

Any fix for npm? I've found 17 moderate severity vulnerabilities related to react-scripts using acorn.

[vanskins]

This needs to be fixed asap because it affect developers using create-react-app.

[chrisgiann44]

resolution worked for me

[leinss]

Running npm, I was able to fix it temporarily by
adding to package.json scripts:
"preinstall": "npx npm-force-resolutions",

and adding to package.json
"resolutions": { "acorn": "^7.1.1" }

waiting for react-scripts update though.

[Ordinal43]

Running npm, I was able to fix it temporarily by
adding to package.json scripts:
"preinstall": "npx npm-force-resolutions",

and adding to package.json
"resolutions": { "acorn": "^7.1.1" }

waiting for react-scripts update though.

For others attempting this fix, please be mindful of your other dependencies that uses acorn.
Tried this solution and sadly 7.1.1 broke some of my other modules.

shrugs, guess I'll have to wait on actual fixes.

[jBraekke]

Solved it temporary by using npm-audit-resolver

[vanskins]

Any updates ?

[mohammedmunna]

 "resolutions": {
    "acorn": "^7.1.1"
  },

did not work for me.

any updates on the fix?

[Dmitrijus1989]

same here :

Moderate Regular Expression Denial of Service
Package acorn
Patched in >=6.4.1 <7.0.0 || >=7.1.1
Dependency of react-scripts
Path react-scripts > jest > jest-cli > jest-config >
jest-environment-jsdom > jsdom > acorn
More info https://npmjs.com/advisories/1488

any updates ?

[marcioolivia]

Same here,
I tried to use the work around with the version 7.1.1, but "broke" my app, so I tried use 6.4.1 and worked it for me.
But still a work around...

"scripts": {
    "preinstall": "npx npm-force-resolutions",
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject",
    "lint-quiet": "eslint . --quiet",
    "start-prod": "node app.js"
  },
  "resolutions": {
    "acorn": "^6.4.1"
  }

any updates ?

[sofalse]

jestjs/jest#9643

Update to jest v25.1.0 required in order to fix that vulnerability. It has some breaking changes, so I don't know if that's doable.

[BMD-518]

Well, I had taken the resolutions route but just removed the resolutions from my package.json and ranyarn audit after updating packages and I'm no longer getting any vulnerabilities. So.. maybe it's been fixed?

[marcioolivia]

I don't know if is a fix. I did the yarn audit.

yarn audit
yarn audit v
1.19.1
info No lockfile found.
warning @material-ui/core > [email protected]: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
warning react-scripts > jest-environment-jsdom-fourteen > jsdom > [email protected]: request has been deprecated, see request/request#3142
warning react-scripts > jest > jest-cli > jest-config > jest-environment-jsdom > jsdom > [email protected]: request has been deprecated, see request/request#3142
warning react-scripts > jest > jest-cli > jest-config > jest-environment-jsdom > jsdom > [email protected]: use String.prototype.padStart()
warning react-scripts > workbox-webpack-plugin > workbox-build > strip-comments > babel-plugin-transform-object-rest-spread > babel-runtime > [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
warning [email protected]: request has been deprecated, see request/request#3142
0 vulnerabilities found - Packages audited: 920690
Done in 31.75s.

But, as is show, it doesn't fix, just show that is deprecated, but not upgrade or anything. Actually, I don't know what yarn did to show 0 vulnerabilities...

But when I did "npm i", in my "package-lock.json" has been change, in jsdom, the version of acorn from 6.4.1 (has no issues) to 5.7.4, that has the main problem (vulnerability issue).

But still with 0 vulnerabilities, even with acorn 5.7.4 ¯_(ツ)_/¯

[SimenB]

Acorn 5, 6 and 7 have all had patch releases fixing it, so this shouldn't be an issue anymore

[marcioolivia]

I deleted the node_modules folder, the lock files (npm and yarn) and I did:
yarn

And everything is ok, 0 vulnerabilities
After, I did npm i (why not? ¯_(ツ)_/¯)
Also 0 vulnerabilities.

To finish, yarn start and is working fine.

I think it can be close this issue.

[zwarrell]

New patch worked for me! Ran an npm audit fix and it was able to fix the vulnerabilities with the new patch available.

[w3bdesign]

Issue confirmed fixed after deleting package-lock.json, deleting node_modules, running npm install and then npm audit fix again.

Also reran Snyk test and no more acorn vulnerabilities.