CVE-2023-29827 #3342
Comments
|
@Prozect2024 There is no version EJS 3.1.11, so this won't help. |
|
Dear workbox developers, it would really help if you could take a look at that CVE-2023-29827 issue (or rather, its update CVE-2024-33883), whether workbox is affected or not. We especially like to know whether workbox (or its third party dependency surma/rollup-plugin-off-main-thread) passes unsanitized input to the ejs |
|
Hi workbox developers, @tropicadri, another way to solve this issue would be to mark the dependency |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Library Affected:
workbox-build v7.1.0 and workbox-webpack-plugin v7.1.0.
Browser & Platform:
All Browsers
Issue or Feature Request Description:
Dear Maintainer/Project Team,
I am writing to inform you about a security vulnerability in the EJS template engine (version 3.1.10) that affects your project via transitive dependencies. Specifically, the vulnerability is present in surma/rollup-plugin-off-main-thread v2.2.3, which is a dependency of workbox-build v7.1.0 and workbox-webpack-plugin v7.1.0.
Given the potential security risks associated with this vulnerability, I would like to request an update to your project that removes or replaces the vulnerable dependency. A possible solution could be updating to a non-vulnerable version of EJS (3.1.11 or later) or switching to an alternative templating engine if feasible.
Addressing this issue would help ensure that projects depending on your library can maintain security best practices. Please let me know if there are any plans to release an update or if there are workarounds that can be implemented in the meantime.
Thank you for your attention to this matter and for your continued work on this important project.
Best regards,
Kate.
The text was updated successfully, but these errors were encountered: