logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-5fp6-4xw3-xqq3 @keystone-6/core

Package

Manager: npm
Name: @keystone-6/core
Vulnerable Version: >=0 <=5.3.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

@keystone-6/core's bundled cuid package known to be insecure ### Summary The `cuid` package used by `@keystone-6/*` and upstream dependencies is deprecated and [marked as insecure by the author](https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead). As reported by the author > Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead. ### What are doing about this? - [We are waiting on Prisma](https://github.com/keystonejs/keystone/issues/8282) to add support for [`cuid2`](https://github.com/paralleldrive/cuid2) - Alternatively, we might default to a random string ourselves ### What can I do about this? We have added a work-around for users who want to provide custom identifiers in https://github.com/keystonejs/keystone/pull/8645 ### What if I need a `cuid`? The features marked as a security vulnerability by @paralleldrive are sometimes actually needed ([as written in the README of `cuid`](https://github.com/paralleldrive/cuid#motivation)) - the problem is the inherent risks that features like this can have. You might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by _default_. This is why this security advisory has been accepted by me (@dcousens), we currently use cuid identifiers by default, and that should change. ### Impact I have accepted this security advisory on the basis that we don't need this kind of identifier typically, and the need for them should be driven by an application's requirements, not a convenient default.

Metadata

Created: 2023-06-12T18:37:31Z
Modified: 2023-06-23T13:56:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-5fp6-4xw3-xqq3/GHSA-5fp6-4xw3-xqq3.json
CWE IDs: []
Alternative ID: N/A
Finding: F052
Auto approve: 1