Openvidu-angular has security vulnerability from semver

jochris · August 31, 2023, 8:16pm

Hi,

We’re using openvidu-angular and openvidu-browser (version 2.23.0) in Angular 14 project.
I would like to know how we can fix the security vulnerabilities that are coming from vulnerable versions of semver in openvidu library.

Here’s the npm audit report:

# npm audit report

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install openvidu-browser@2.20.0, which is a breaking change
node_modules/openvidu-browser/node_modules/semver
  openvidu-browser  >=2.21.0-beta1
  Depends on vulnerable versions of semver
  node_modules/openvidu-browser
    openvidu-angular  >=2.21.0
    Depends on vulnerable versions of openvidu-browser
    node_modules/openvidu-angular

cruizba · September 8, 2023, 1:29pm

Thank you for reporting.

I’ve seen the CVE. Looks like the DoS is possible with untrusted user data. semver is only used to check backend and frontend versions, which are fixed and well known string constants.

Also, this is more feasible when semver is used in the backend side, not the case of openvidu-browser which is mainly used in the frontend.

You can rest assured

Topic		Replies	Views
Openvidu-angular library with angular 1 app How to implement?	1	358	April 22, 2020
OpenVidu Angular Issues developing apps	4	809	June 12, 2020
Is Angular 8 compatible library available ? openVidu-insecure-angular Issues developing apps	1	272	July 17, 2020
Suggested approach to create own Angular frontend How to implement?	4	406	August 31, 2021
Openvidu-browser 2.16.2 Issues developing apps	7	1112	December 8, 2020

Openvidu-angular has security vulnerability from semver

Related Topics