@umijs/bundler-utils versions 4.4.6 and 4.4.5 are incremental updates to a utility library designed to streamline bundler interactions within the UmiJS ecosystem. Both versions maintain consistent dependencies on core packages like spdy, esbuild, regenerate, and regenerate-unicode-properties, ensuring compatibility and stability. Their development dependencies showcase a comprehensive suite of Babel tools, including core, parser, types, generator, and various presets and plugins, highlighting the library's reliance on Babel for code transformation and manipulation. There are also testing tools like tapable and utility libraries like express, less and http-proxy-middleware.
The primary difference between versions 4.4.5 and 4.4.6 lies in the updated @umijs/utils dependency, moving from version 4.4.5 to 4.4.6. Developers upgrading should investigate the changelog of @umijs/utils for any breaking changes or new features introduced in that specific patch release. While the file count and unpacked size remain identical, suggesting no major structural modifications, the releaseDate indicates a more recent build, implying bug fixes or minor enhancements. For developers, these utilities abstract away complexities inherent in bundler configurations, simplifying common tasks such as module resolution, code transformation, and asset management within UmiJS projects. Keeping an eye on patch releases and their dependent packages is a key factor for the performance and maintainability of any project utilizing the library.
All the vulnerabilities related to the version 4.4.6 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.
fast-redact vulnerable to prototype pollution
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.