Skip to content

13.3.8 build_angular uses vulnerable terser 5.11.0: CVE-2022-25858 #23593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SymbioticKilla opened this issue Jul 18, 2022 · 7 comments · Fixed by #23604 or #23605
Closed

13.3.8 build_angular uses vulnerable terser 5.11.0: CVE-2022-25858 #23593

SymbioticKilla opened this issue Jul 18, 2022 · 7 comments · Fixed by #23604 or #23605
Assignees
@alan-agius4
Labels
area: @angular-devkit/build-angular freq1: low Only reported by a handful of users who observe it rarely severity6: security type: bug/fix

Comments

@SymbioticKilla
Copy link

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Hi,

is it possible to update terser in 13.3.x branch?
https://github.com/angular/angular-cli/blob/13.3.x/packages/angular_devkit/build_angular/package.json

Thanks!
@andreea-suditu
Copy link

Any updates on this issue?

@alan-agius4
Copy link
Collaborator

While this vulnerability doesn't apply to the Angular CLI as we don't expect maliciously crafted JS to be passed during the build

We will be updating the version of terser in version 12 and 13.

alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jul 20, 2022
@alan-agius4
fix(@angular-devkit/build-angular): update terser to address CVE-2022…
3d0b6fe 
…-25858

While this vulnerability cannot be exploited through the Angular CLI as we don't expect it to be run on production servers. We update terser to remove the unnecessary vulnerability noise.

Closes angular#23593
@alan-agius4 alan-agius4 mentioned this issue Jul 20, 2022
Merged
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jul 20, 2022
@alan-agius4
fix(@angular-devkit/build-angular): update terser to address CVE-2022…
4083a15 
…-25858

While this vulnerability cannot be exploited through the Angular CLI as we don't expect it to be run on production servers. We update terser to remove the unnecessary vulnerability noise.

Closes angular#23593

(cherry picked from commit 3d0b6fe)
@alan-agius4 alan-agius4 mentioned this issue Jul 20, 2022
Merged
This was linked to pull requests Jul 20, 2022
fix(@angular-devkit/build-angular): update terser to address CVE-2022-25858 #23604
Merged
fix(@angular-devkit/build-angular): update terser to address CVE-2022-25858 #23605
Merged
@alan-agius4 alan-agius4 self-assigned this Jul 20, 2022
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Jul 20, 2022
@alan-agius4
fix(@angular-devkit/build-angular): update terser to address CVE-2022…
b541219 
…-25858

While this vulnerability cannot be exploited through the Angular CLI as we don't expect it to be run on production servers. We update terser to remove the unnecessary vulnerability noise.

Closes angular#23593

(cherry picked from commit 3d0b6fe)
clydin pushed a commit that referenced this issue Jul 20, 2022
@alan-agius4 @clydin
fix(@angular-devkit/build-angular): update terser to address CVE-2022…
0d62716 
…-25858

While this vulnerability cannot be exploited through the Angular CLI as we don't expect it to be run on production servers. We update terser to remove the unnecessary vulnerability noise.

Closes #23593
@alan-agius4
Copy link
Collaborator

Closed via #23604 (comment)

clydin pushed a commit that referenced this issue Jul 20, 2022
@alan-agius4 @clydin
fix(@angular-devkit/build-angular): update terser to address CVE-2022…
4d723ca 
…-25858

While this vulnerability cannot be exploited through the Angular CLI as we don't expect it to be run on production servers. We update terser to remove the unnecessary vulnerability noise.

Closes #23593

(cherry picked from commit 3d0b6fe)
@voruti
Copy link

voruti commented Jul 28, 2022

We will be updating the version of terser in version 12 and 13.

Why not in version 14?

@alan-agius4
Copy link
Collaborator

Because terser version 5.14.2 is already being used in version 14.

@voruti
Copy link

voruti commented Jul 28, 2022

Oh, I see. It is up to date on version 14.1.0

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Aug 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alan-agius4 alan-agius4

Labels
area: @angular-devkit/build-angular freq1: low Only reported by a handful of users who observe it rarely severity6: security type: bug/fix
Projects
None yet
Milestone
No milestone
4 participants
@alan-agius4 @voruti @SymbioticKilla @andreea-suditu