-
-
Notifications
You must be signed in to change notification settings - Fork 41
Description
Hi,
According to some public reports (i.e GHSA-4jqc-8m5r-9rpr, https://www.cve.org/CVERecord?id=CVE-2021-23440)
,CVE-2021-23440 is fixed in 4.0.1 along with a backport to 2.0.1.
As is understand, this is the fix for 4.0.1: 383b72d
That was reached via 4.0.0...4.0.1.
However, when inspecting the changelog between 2.0.0 and 2.0.1 (2.0.0...2.0.1), it seems the fix for CVE-2021-23440 does not exist. This commit cb12f14 seems to be the fix for CVE-2019-10747, while CVE-2021-23440 states that CVE-2019-10747 is bypassed.
When inspecting it even furtherly, there is a pull request for fixing 2.0.1 #38, but it was not merged neither in the GH repo nor the NPM package itself.
Can you confirm the vulnerable range and the fix here (CVE-2021-23440)? It raises some confusion and I would like to make sure 2.0.1 is safe.
Thanks in advance!