Vulnerability in hoek package

[warpdesign]

There is a vulnerability in the hoek package which is required by hawk that request depends on.

Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem.

[crccheck]

I tried just bumping to hawk v7.0.7 earlier today but the test broke. I had to jump off to do something else but I only got as far as this faster way to run the test:

npx taper tests/test-hawk.js

[dan-nl]

as far as i understand it, the issue is with a cve, https://nvd.nist.gov/vuln/detail/CVE-2018-3728, regarding hoek < v5.0.3; request v2.85.1 requires hawk ~6.0.2, which requires hoek 4.x.x. request requires hawk ~6.0.2 to maintain compatibility with node 4.

• the cve states that “hoek node module before 5.0.3 suffers from …” and references hapijs/hoek@32ed5c9 as a fix in hoek v5.0.3

• however, hoek v4.2.1 also has that fix:
  hapijs/hoek@5aed1a8
  https://github.com/hapijs/hoek/blob/v4.2.1/lib/index.js#L116

thus, it appears that the cve is incorrectly considering hoek v4.2.1 as vulnerable and may be why so many github repos are now reporting a vulnerability. i sent an email to nvd.nist.gov about the issue.

[ptrcnull]

See here: #2891 (comment)

[PhilippeVay]

To confirm the findings of dan-nl, both links from securityfocus and hackerone in the CVE state that it has been fixed

Not Vulnerable:
| Hoek Hoek 4.2.1
| Hoek Hoek 5.0.3

vdeturckheim posted a comment. Feb 15th (2 months ago)
Fix has been backported to 4.x track of the module and published as 4.2.1. (see hapijs/hoek#231 )

and it's confirmed by @nlf in hapijs/hoek#230 (comment)

It has been fixed.
To further discuss, (…)

[jfoclpf]

@warpdesign you said

Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem

But how do I do that if I don't have hawk directly as a dependency?

autocosts@5.4.4 /home/jfolpf/autocosts
└─┬ request@2.85.0
  └─┬ hawk@6.0.2
    ├─┬ boom@4.3.1
    │ └── hoek@4.2.1  deduped
    ├─┬ cryptiles@3.1.2
    │ └─┬ boom@5.2.0
    │   └── hoek@4.2.1  deduped
    ├── hoek@4.2.1 
    └─┬ sntp@2.1.0
      └── hoek@4.2.1  deduped

which npm command? npm update request didn't do the job. Nor npm update hoek
thanks

[jbreckmckye]

You can't. You have to wait until Request publishes a new version that uses Hawk 7. That's the problem.

[johnbeech]

Can confirm, I've had 6 repos flagged by github for having the hoek vulnerability because of the request library.

[warpdesign]

@jfoclpf I guess it should be possible to temporary fix the problem by publishing forks with an updated version. But you don't want to go this road. Better wait for an official resolution (which shouldn't be long to come this the vce state just needs to be updated for hoek v4.2.1).

[jfoclpf]

According to what I have been told from other packages, it's a false positive from github. There is no vulnerability in that version of hoek. Nonetheless it's annoying and thus let's wait for an official update of request.