Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug report] 有空的时候给esbuild依赖升升级吧 #1639

Closed
zjkal opened this issue Mar 18, 2025 · 1 comment
Closed

[Bug report] 有空的时候给esbuild依赖升升级吧 #1639

zjkal opened this issue Mar 18, 2025 · 1 comment
Labels
question Asking question

Comments

@zjkal
Copy link

zjkal commented Mar 18, 2025

Description

如题, github总是提示esbuild有风险, 请升级至25.0.0以上
Image

Reproduction

none

Used Package Manager

npm

System Info

Summary
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
The attacker gets the content of http://127.0.0.1:8000/main.js.
In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

Fetching /index.html: normally you have a script tag here
Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file
The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC
Download reproduction.zip
Extract it and move to that directory
Run npm i
Run npm run watch
Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.
image

Impact
Users using the serve feature may get the source code stolen by malicious websites.
@Mister-Hope
Copy link
Member

Mister-Hope commented Mar 19, 2025
edited
Loading

Our VuePress is not affected by this, you can override the version manually if any thing bothers you about the CVE

@Mister-Hope Mister-Hope added the question Asking question label Mar 19, 2025
@Mister-Hope Mister-Hope closed this as not planned Won't fix, can't repro, duplicate, stale Mar 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Asking question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zjkal @Mister-Hope