React Native is using an old, insecure version of Folly.
The current version of Folly in master is 2018.10.22.00. This version has a "critical" security vulnerability CVE-2019-11934 related to SSL sockets.
The latest version of Folly at the moment is 2019.12.30.00, where the above vulnerability has already been fixed, here.
Could you please update Folly to a newer, patched version?
React Native version:
Steps To Reproduce
- Run
react-native init new_project
- Open
new_project/node_modules/react-native/third-party-podspecs/Folly.podspec in a text editor
- Observe how
spec.version is 2018.10.22.00
As a consequence, spec.source tells CocoaPods to pull Folly from tag v2018.10.22.00 which contains an unpatched version of Folly without the fix to CVE-2019-11934.
Some additional info:
I noticed this when running dependency-check-cli against a React Native project.
React Native is using an old, insecure version of Folly.
The current version of Folly in
masteris2018.10.22.00. This version has a "critical" security vulnerability CVE-2019-11934 related to SSL sockets.The latest version of Folly at the moment is
2019.12.30.00, where the above vulnerability has already been fixed, here.Could you please update Folly to a newer, patched version?
React Native version:
Steps To Reproduce
react-native init new_projectnew_project/node_modules/react-native/third-party-podspecs/Folly.podspecin a text editorspec.versionis2018.10.22.00As a consequence,
spec.sourcetells CocoaPods to pull Folly from tag v2018.10.22.00 which contains an unpatched version of Folly without the fix to CVE-2019-11934.Some additional info:
I noticed this when running dependency-check-cli against a React Native project.