word-wrap vulnerable to Regular Expression Denial of Service

[vianch]

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

[magnussp]

Just encountered this as well as latest firebase-admin package is reliant on some packages that in turn is reliant on word-wrap.

[eclousersans]

Dealing with this as well. eslint depends on optionator which depends on word-wrap.

Any ETA on patch release?

[eclousersans]

Per this PR:
#33

They aren't able to merge in due to bus factor and the original repo owner getting hit by a bus.

As a hack, they've published a new version under another package name.

Par for the course in JS community...

[silverbackdan]

As seen here #33 (comment)

"overrides": {
  "word-wrap" : "npm:@aashutoshrathi/word-wrap"
}

It appears this is currently a maintained version which you can override with.

[jacquesg]

This unfortunately breaks eslint for me:

Oops! Something went wrong! :(                                                                                                                                                                            
                                                                                                                                                                                                          
ESLint: 8.43.0                                                                                                                                                                                            
                                                                                                                                                                                                          
Error: Cannot find module 'word-wrap'                                                                                                                                                                     
Require stack:                                                                                                                                                                                            
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/help.js                                                                                                                        
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/index.js                                                                                                                       
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/eslint/lib/options.js                                                                                                                         
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/eslint/lib/cli.js                                                                                                                             
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/eslint/bin/eslint.js                                                                                                                          
    at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15)                                                                                                                         
    at Function.Module._load (node:internal/modules/cjs/loader:778:27)                                                                                                                                    
    at Module.require (node:internal/modules/cjs/loader:1005:19)                                                                                                                                          
    at require (node:internal/modules/cjs/helpers:102:18)                                                                                                                                                 
    at Object.<anonymous> (/home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/help.js:6:14)                                                                                         
    at Object.<anonymous> (/home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/help.js:260:4)                                                                                        
    at Module._compile (node:internal/modules/cjs/loader:1105:14)                                                                                                                                         
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)                                                                                                                           
    at Module.load (node:internal/modules/cjs/loader:981:32)                                                                                                                                              
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)   

[silverbackdan]

I'm also on eslint 8.43.0 - is it possible there is some cache left-overs?

[jacquesg]

No, retried from clean as well. Ended up adding an override for optionator instead, which accomplishes the same thing effectively:

"overrides": {
  "optionator" : "0.9.3"
}

[silverbackdan]

Interesting - pleased you found your solution too.

[bjornjorgensen]

Any updates?

[mahnoorkazidh]

npm audit doesn't fix it for me.. unfortunately. Any update on the solution?

[larouxn]

npm audit doesn't fix it for me.. unfortunately. Any update on the solution?

The best solution we have right now (from here) is to switch to a patched fork. #33 (comment)

"resolutions": {
  "word-wrap": "npm:@aashutoshrathi/word-wrap@^1.2.4"
},

Looks like eslint bumped their affected dependency optionator so that may work for you as well. eslint/eslint#17117

"resolutions": {
  "optionator": "^0.9.3"
}

Non-Yarn users can use overrides in place of resolutions apparently. (haven't tried)

Lastly, it seems many have swapped over to the fork according to the fork's page on npmjs.org.

[kachkaev]

Duplicate of #32

[Anmol-Baranwal]

Hi, everyone.

I was looking for an answer, and never thought it would be as simple as this.

npm audit fix

It will ultimately update the version of the dependency package and it creates no problem.

For reference of the change, you can see here

[doowb]

Fixed in word-wrap@1.2.4.