Skip to content

High Security Vulnerability (Denial of Service) issue 1486 in http-proxy #5489

New issue
New issue
Closed
Closed
High Security Vulnerability (Denial of Service) issue 1486 in http-proxy#5489
Labels
upstream
@itsalaidbacklife

Description

@itsalaidbacklife
itsalaidbacklife
opened on May 15, 2020

Version

4.3.1

Reproduction link

https://github.com/itsalaidbacklife/vue-http-proxy-vulnerability-1486

Environment info

System:
    OS: Windows 10 10.0.18363
    CPU: (4) x64 Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
  Binaries:
    Node: 12.16.1 - E:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.13.4 - E:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: 44.18362.449.0
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.0.0
    @vue/babel-plugin-transform-vue-jsx:  1.1.2
    @vue/babel-preset-app:  4.2.3
    @vue/babel-preset-jsx:  1.1.2
    @vue/babel-sugar-functional-vue:  1.1.2
    @vue/babel-sugar-inject-h:  1.1.2
    @vue/babel-sugar-v-model:  1.1.2
    @vue/babel-sugar-v-on:  1.1.2
    @vue/cli-overlay:  4.2.3
    @vue/cli-plugin-babel: ~4.2.0 => 4.2.3
    @vue/cli-plugin-e2e-cypress: ^4.3.1 => 4.3.1
    @vue/cli-plugin-eslint: ~4.2.0 => 4.2.3
    @vue/cli-plugin-router:  4.2.3
    @vue/cli-plugin-unit-jest: ^4.3.1 => 4.3.1
    @vue/cli-plugin-vuex:  4.2.3
    @vue/cli-service: ~4.2.0 => 4.2.3
    @vue/cli-shared-utils:  4.2.3 (4.3.1)
    @vue/component-compiler-utils:  3.1.1
    @vue/preload-webpack-plugin:  1.1.1
    @vue/test-utils: 1.0.0-beta.31 => 1.0.0-beta.31
    @vue/web-component-wrapper:  1.2.0
    eslint-plugin-vue: ^6.2.2 => 6.2.2
    jest-serializer-vue:  2.0.2
    vue: ^2.6.11 => 2.6.11
    vue-cli-plugin-vuetify: ~2.0.5 => 2.0.5
    vue-eslint-parser:  7.0.0
    vue-hot-reload-api:  2.3.4
    vue-jest:  3.0.5
    vue-loader:  15.9.0
    vue-router: ^3.1.6 => 3.1.6
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.6.11 => 2.6.11
    vue-template-es2015-compiler:  1.9.1
    vuetify: ^2.2.27 => 2.2.27
    vuetify-loader: ^1.3.0 => 1.4.3
    vuex: ^3.4.0 => 3.4.0
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

npm audit

What is expected?

Newly created projects will not have high-severity security vulnerabilities and will pass npm audit without issues.

What is actually happening?

npm audit reports 1 high-severity security vulnerability 1486

Issue is with Denial of service in
@vue/cli-service > webpack-dev-server > http-proxy-middleware > http-proxy

No patch is currently available. Npm recommends [Considering] "using an alternative package until a fix is made available."

Metadata

Metadata

Assignees

No one assigned

    Labels

    upstream

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions