Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Security vulnerability in [email protected] (used by VSCode & Monaco) #4692

Closed
2 tasks done
aleixsuau opened this issue Sep 20, 2024 · 8 comments
Closed
2 tasks done

[Bug] Security vulnerability in [email protected] (used by VSCode & Monaco) #4692

aleixsuau opened this issue Sep 20, 2024 · 8 comments
Assignees
@mjbvz
Labels
bug Issue identified by VS Code Team member as probable bug verified Verification succeeded
Milestone
October 2024

Comments

@aleixsuau
Copy link

aleixsuau commented Sep 20, 2024
edited
Loading

Reproducible in vscode.dev or in VS Code Desktop?

  • Not reproducible in vscode.dev or VS Code Desktop

Reproducible in the monaco editor playground?

Monaco Editor Playground Link

No response

Monaco Editor Playground Code

No response

Reproduction Steps

No response

Actual (Problematic) Behavior

Our OWASP scan detected an issue in [email protected] CVE-2024-45801 which seems to be used by the Monaco editor (VSCode): https://github.com/microsoft/vscode/blob/main/src/vs/base/browser/dompurify/dompurify.js

Please update to [email protected] to get rid of that vulnerability.

Thanks

Expected Behavior

There should be no vulnerability issues.

Additional Context

No response
@jshawl
Copy link

jshawl commented Sep 20, 2024

It looks like DOMPurify was bumped here https://github.com/microsoft/vscode/pull/228773/files but not yet vendored like in this other DOMPurify bump PR - https://github.com/microsoft/vscode/pull/189368/files

@jasonparallel
Copy link

@rzhao271 Just wanted to at you as you merged in the version update for DOMPurify

@rzhao271 rzhao271 self-assigned this Sep 24, 2024
@rzhao271 rzhao271 added this to the September 2024 milestone Sep 24, 2024
@rzhao271 rzhao271 added the bug Issue identified by VS Code Team member as probable bug label Sep 25, 2024
@rzhao271 rzhao271 modified the milestones: September 2024, October 2024 Sep 25, 2024
@PavPav
Copy link

PavPav commented Oct 14, 2024
edited
Loading

Looks like one more CVE is found now CVE-2024-47875, but still updating to [email protected] should solve an issue

@mjbvz
Copy link
Contributor

mjbvz commented Oct 14, 2024

This pr will bump to the currently latest release (3.1.7): microsoft/vscode#230250

@rzhao271 rzhao271 removed their assignment Oct 21, 2024
@mjbvz
Copy link
Contributor

mjbvz commented Oct 21, 2024

Closing as upstream change in VS Code has been merged

@mjbvz mjbvz closed this as completed Oct 21, 2024
@rzhao271 rzhao271 added the verified Verification succeeded label Oct 23, 2024
@acherkashin
Copy link

@mjbvz thank you for fixing the issue 👍.

Do you happen to know when 0.53 monaco-editor version will be released with the vulnerability fix?

@Andrevwvm Andrevwvm mentioned this issue Nov 5, 2024
Open
2 tasks
@aleixsuau
Copy link
Author

Hi, when do you plan to release the fix in the Monaco-editor?

Thanks

@acherkashin
Copy link

@aleixsuau it is tracked in #4738, no idea when it will be released unfortunately

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjbvz mjbvz

Labels
bug Issue identified by VS Code Team member as probable bug verified Verification succeeded
Projects
None yet
Milestone
October 2024
Development

No branches or pull requests
7 participants
@jasonparallel @jshawl @PavPav @rzhao271 @acherkashin @mjbvz @aleixsuau