Nodemailer-mailgun-transport: high severity vulnerability in netmask plugin
- What kind of issue are you reporting?
- A bug in a plugin of nodemailer-mailgun-transport ^2.0.2 (netmask plugin)
High severity vulnerability
State your problem here:
Run "npm audit" or "npm install" with nodemailer-mailgun-transport ^2.0.2
gives me:
"netmask npm package vulnerable to octal input data"
"patched in >=2.0.1"
Netmask is used by up to 300k live projects. Vulnerability reported on about two days ago.
zhyrin
All 17 comments
Hey, I tried to patch the package-lock.json to use a NON-VULNERABLE version of netmask - I think it worked? Let me know what you're seeing now :)
orliesaurus
on 6 Apr 2021
Looks fixed to me in a clean checkout + npm install
I'm still seeing it in a production project through yarn audit, though, I suspect it hasn't been published
anachronic
on 6 Apr 2021
@anachronic I published in npm as 2.0.3 - https://www.npmjs.com/package/nodemailer-mailgun-transport
orliesaurus
on 8 Apr 2021
Apparently nodemailer-mailgun-transport id using a now non-official mailgun library? Is this an easy swap to the "official" version? Seems like the proper dependency should be "mailgun.js" and then that will alleviate the security vulnerability (and hopefully help for future issues). Discussion here: https://github.com/mailgun/mailgun-js/issues/122
rfox12
on 9 Apr 2021
Yeah just change the dependency and rewrite the code bit of code that are used for the official library.
official plugin: https://www.npmjs.com/package/mailgun.js
deprecated plugin: https://www.npmjs.com/package/mailgun-js (its referenced in mailgun docs, hence the confusion)
official uses '...require=('mailgun.js) as opposed to ...require('mailgun-js')
Tired, but hope it was a tldr
zhyrin
on 9 Apr 2021
@zhyrin guess someone is gonna have to do some research to see how much code rewrite is needed
orliesaurus
on 10 Apr 2021
not interested
zhyrin
on 12 Apr 2021
@zhyrin guess someone is gonna have to do some research to see how much code rewrite is needed
Is #104 not a fix for this?
anachronic
on 12 Apr 2021
not interested
great! at least you're honest about how you like open source
orliesaurus
on 12 Apr 2021
Is #104 not a fix for this?
let me take a look
orliesaurus
on 12 Apr 2021
Look like the latest version of mail gun is still vulnerable? https://snyk.io/advisor/npm-package/mailgun-js
omerlh
on 4 May 2021
@omerlh We've upgraded to the other one - that one is deprecated
orliesaurus
on 4 May 2021
Which one? I can see the latest version is still vulnerable: https://snyk.io/advisor/npm-package/nodemailer-mailgun-transport
omerlh
on 5 May 2021
I believe this is solved in master (see #104), however, 2.0.3 (last version published) seems to point to the last commit before the fix.
Although I'm not sure, maybe publishing a new version solves this?
anachronic
on 6 May 2021
@orliesaurus can we get a new release based on @anachronic's point?
shawncarr
on 6 May 2021
Yeah I definitely need to push the update that is in master! Thanks y'all!
orliesaurus
on 6 May 2021
Any timeline on this version bump? Should this ticket be closed before the latest version is updated to master?
axelauvinen
on 7 May 2021
Related issues
WillSquire
·
11Comments
akshaysrin
·
3Comments
thalesfsp
·
3Comments
andrewchch
·
3Comments
fuzihaofzh
·
3Comments