Skip to content

fix: security issue from esbuild v0.24.2 and lower #238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: security issue from esbuild v0.24.2 and lower #238

wants to merge 1 commit into from
+304 −271

Conversation

seawind543
Copy link

esbuild version <= 0.24.2 got security alert with issue CWE-346: Origin Validation Error. Suggest upgrade esbuild to the latest version 0.25.1

Note: After making some investigation. Find out that the package esbuild is the peerDependencies of the package bundle-require, which requires "esbuild": ">=0.17" in its v4.0.4.

Summary
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@seawind543