CVE-2022-24434: DoS affecting dicer (sub-dependency)

[sewellstephens]

Discussed in #1253

^{Originally posted by sewellstephens April 14, 2024}
Hi, I'm not at all an expert in cybersecurity nor am I a security researcher, but Snyk security and NPM is warning of critical DDoS vulnerability attached to this package. According to NPM vuln scanner, it seems to be linked to busboy dependency in package.json.

Heres a screenshot:

[UlisesGascon]

I was able to replicate this with this package.jon.

{
  "name": "multer-1254",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "multer": "^1.4.2"
  }
}

Snyk is alerting for SNYK-JS-DICER-2311764, but in the Multer page is not shown. I found that confusing at the beginning, but doing a further research I got a better understanding.

By checking the dependencies we can see that busboy@0.2.14 depends on dicer@0.2.5 (see). Multer depends on busboy@^0.2.11 (see)

 "node_modules/busboy": {
      "version": "0.2.14",
      "resolved": "https://registry.npmjs.org/busboy/-/busboy-0.2.14.tgz",
      "integrity": "sha512-InWFDomvlkEj+xWLBfU3AvnbVYqeTWmQopiW0tWWEy5yehYm2YkGEc59sUmw/4ty5Zj/b0WHGs1LgecuBSBGrg==",
      "dependencies": {
        "dicer": "0.2.5",
        "readable-stream": "1.1.x"
      },
      "engines": {
        "node": ">=0.8.0"
      }
    }

Currently there is no fix available for dicer (I was not able to find an open discussion too), so maybe we can upgrade busboy to v1.0.0 (see comparation details) as this version remove dicer and includes streamsearch but this will drop Node.js support to >=10.16.0 for multer.

Said that ... I am not very familiar with multer internals or busboy, so maybe this CVE is not affecting us due the way we are using the dependencies? 🤔

[welchjl]

1.4.2 is deprecated. Update to 1.4.5-lts.1 as it uses busboy 1.0.0 which resolves the vulnerability 👍