ocbrollingpaper - CVE-2021-44907 | Stripe Developers | Page 1

wraith onyx Mar 28, 2022, 6:53 PM

#

sonic umbra Mar 28, 2022, 6:54 PM

#

its a bug in qs lib

#

Severity is high, leads to DoS

#

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44907

CVE - CVE-2021-44907

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

wraith onyx Mar 28, 2022, 6:55 PM

#

Thanks for the context. Checking in to if our node library has a fix for that

sonic umbra Mar 28, 2022, 6:56 PM

#

the fix is to upgrade qs to 6.8.1, gonna play around and see what will happen

wraith onyx Mar 28, 2022, 6:57 PM

#

I am not that familiar with this setup. Is that something you can do apart from our library? Or are you making your own version of our library with that upgrade?

sonic umbra Mar 28, 2022, 6:58 PM

#

we ran code scan on our repo, snyk reported that CVE and said the qs lib is used by stripe 8.212.0

wraith onyx Mar 28, 2022, 7:16 PM

#

I am reaching out to a colleague about this. I may be able to get an answer quickly though I don't know for sure. If it is going to take a bit, I will likely ask you to write in to our support website so we can track this question and send you a response via email.

wraith onyx Mar 28, 2022, 7:46 PM

#

Thanks for waiting. We will update our version of qs to the latest https://github.com/stripe/stripe-node/pull/1384

#

In the meantime, if it gives you peace of mind, it doesn't seem like it is a serious vulnerability in this context. https://github.com/ljharb/qs/issues/436#issuecomment-1067538394

sonic umbra Mar 28, 2022, 8:21 PM

#

yeah, im aware its not serious :D i work in cybersec

#

Thank you for your time! Wish there's some more companies like Stripe

wraith onyx Mar 28, 2022, 8:24 PM

#

Of course! Glad I could help. Thanks for reporting it.

#ocbrollingpaper - CVE-2021-44907