Opened 10 months ago
Closed 8 months ago
#63903 closed defect (bug) (reported-upstream)
Vulnerable dependency: @babel/runtime 7.25.7 in WordPress packages
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.9 |
| Component: | General | Keywords: | |
| Focuses: | javascript | Cc: |
Description
The following WordPress packages contain a vulnerable version of @babel/runtime (7.25.7) that is susceptible to Regular Expression Denial of Service (ReDoS) attacks.
Affected packages:
- @wordpress/icons@10.17.0
- @wordpress/element@6.17.0
- @wordpress/escape-html@3.17.0
Vulnerability: SNYK-JS-BABELRUNTIME-10044504
CVE: Available in Snyk database
The vulnerable regex patterns in @babel/runtime 7.25.7 can cause significant performance degradation when processing certain input patterns. This has
been patched in @babel/runtime 7.26.0+.
Please see: https://security.snyk.io/vuln/SNYK-JS-BABELRUNTIME-10044504
Change History (3)
#2
@
10 months ago
Thanks, I hadn't seen that. I created the ticket because I believe this exploit is being used to attack a high profile client website. I'm going to override the version in my project but thought it was worth flagging.
#3
@
8 months ago
- Milestone Awaiting Review deleted
- Resolution set to reported-upstream
- Status changed from new to closed
Closing as a duplicate of https://github.com/WordPress/gutenberg/issues/69557
There is a open PR in GB repo https://github.com/WordPress/gutenberg/pull/69614.