Openvidu-angular has security vulnerability from semver

jochris · August 31, 2023, 8:16pm

Hi,

We’re using openvidu-angular and openvidu-browser (version 2.23.0) in Angular 14 project.
I would like to know how we can fix the security vulnerabilities that are coming from vulnerable versions of semver in openvidu library.

Here’s the npm audit report:

# npm audit report

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install openvidu-browser@2.20.0, which is a breaking change
node_modules/openvidu-browser/node_modules/semver
  openvidu-browser  >=2.21.0-beta1
  Depends on vulnerable versions of semver
  node_modules/openvidu-browser
    openvidu-angular  >=2.21.0
    Depends on vulnerable versions of openvidu-browser
    node_modules/openvidu-angular

cruizba · September 8, 2023, 1:29pm

Thank you for reporting.

I’ve seen the CVE. Looks like the DoS is possible with untrusted user data. semver is only used to check backend and frontend versions, which are fixed and well known string constants.

Also, this is more feasible when semver is used in the backend side, not the case of openvidu-browser which is mainly used in the frontend.

You can rest assured

Topic		Replies	Views
Vulnerabilities in Outdated Libraries How to implement? v2	1	40	May 21, 2024
Security issues in Openvidu 2.29 Issues developing apps v2	17	122	September 23, 2024
OpenVidu is not affected by Log4J vulnerability and Elasticsearch additional info (CVE-2021-44228, CVE-2021-45046) Announcements	2	933	December 16, 2021
Openvidu-angular library with angular 1 app How to implement? v2	1	386	April 22, 2020
OpenVidu Angular Issues developing apps v2	4	851	June 12, 2020

Openvidu-angular has security vulnerability from semver

Related topics