Hi,
If I build a simple synthetic monitoring check and push it to artifact registry with vulnerability scanning enabled, I receive a vulnerability report for a CVE from 2019:
GHSA-mxhp-79qh-mcx6
{
"name": "test-monitor",
"version": "1.0.0",
"description": "CVE test",
"main": "dist/index.js",
"scripts": {
"build": "tsc",
"start": "functions-framework --target=SyntheticFunction",
"prestart": "npm run build",
"gcp-build": "npm run build"
},
"dependencies": {
"@google-cloud/functions-framework": "^3.2.0",
"@google-cloud/synthetics-sdk-api": "^0.5.1",
"axios": "^1.5.0",
"winston": "^3.10.0"
},
"devDependencies": {
"typescript": "^5.0.4"
}
}
Once the sdk-api package is introduced, the taffydb vulnerability appears:
Here are the details of the vulnerability:
Documentation
github.com
CVE-2019-10790
https://github.com/advisories/GHSA-mxhp-79qh-mcx6
Details
Version
2.6.2
Affected location
Unsupported OS
Package
taffydb
Package type
Npm
File location(s)
Filter
Location
/workspace/node_modules/ts-proto-descriptors/node_modules/protobufjs/cli/node_modules/taffydb/package.json/workspace/node_modules/ts-proto/node_modules/protobufjs/cli/node_modules/taffydb/package.json
Long description
NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS V3 score
7.5
Create time
Apr 8, 2025
Update time
Apr 8, 2025
Note name
projects/goog-vulnz/notes/CVE-2019-10790
Provider name
goog-vulnz
As you can see, the vulnerability is introduced by ts-proto-descriptors. A more recent version of this package does not contain the vulnerability.
This issue has also been confirmed by Google Support in the Case 58708898
Hi,
If I build a simple synthetic monitoring check and push it to artifact registry with vulnerability scanning enabled, I receive a vulnerability report for a CVE from 2019:
GHSA-mxhp-79qh-mcx6
{ "name": "test-monitor", "version": "1.0.0", "description": "CVE test", "main": "dist/index.js", "scripts": { "build": "tsc", "start": "functions-framework --target=SyntheticFunction", "prestart": "npm run build", "gcp-build": "npm run build" }, "dependencies": { "@google-cloud/functions-framework": "^3.2.0", "@google-cloud/synthetics-sdk-api": "^0.5.1", "axios": "^1.5.0", "winston": "^3.10.0" }, "devDependencies": { "typescript": "^5.0.4" } }Once the sdk-api package is introduced, the taffydb vulnerability appears:
Here are the details of the vulnerability:
As you can see, the vulnerability is introduced by ts-proto-descriptors. A more recent version of this package does not contain the vulnerability.
This issue has also been confirmed by Google Support in the Case 58708898