Potential security issue by abuse the URL object #1831
Replies: 4 comments 3 replies
-
|
Chatting with @lebr0nli privately. At some point we'll probably need a security correspondence point, but I don't think we're there just yet. |
Beta Was this translation helpful? Give feedback.
-
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41945 is associated here. |
Beta Was this translation helpful? Give feedback.
-
|
GitHub has added this to their advisory database, and it is now being picked up by Dependabot dependency scanning. |
Beta Was this translation helpful? Give feedback.
-
|
I can't find any open issues, changelog entries, blog entries, or notices stating when this CVE is planned to be fixed. Can someone from the project please provide some official guidance? |
Beta Was this translation helpful? Give feedback.
-
|
Here's an issue: #2184 Merged PR: #2185 And it's part of the version 0.23.0 PR: #2214 |
Beta Was this translation helpful? Give feedback.
-
|
GitHub will also need to review before considering the security issue fixed. github/advisory-database#322 is open (also mentioned in #2184 (comment)). Hopefully after that, Dependabot will issue automated PRs to update to v0.23. |
Beta Was this translation helpful? Give feedback.
-
I found a potential security issue by abuse the URL parser.
But not sure this is a real vulnerability or just a feature.
Although I think the potential issue I found is not a huge security issue like RCE, I want to talk more privately if possible.
Is there a
security@encode.ioor something I can DM?If there is not, I can share what I found here, too.
Beta Was this translation helpful? Give feedback.
All reactions