See on npm

rsshub 1.0.0-master.fc1b99f

3 security vulnerabilities found in version 1.0.0-master.fc1b99f

Denial of Service (DoS) vulnerability in RSSHub

high severity GHSA-jvxx-v45p-v5vf
high severity GHSA-jvxx-v45p-v5vf
Affected versions: <= 1.0.0

Impact

Passing some special values to the filter and filterout parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.

Patches

It is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.

Credits

@Rongronggg9

References

A full report will be disclosed after 120 hours.

For more information

If you have any questions or comments about this advisory:

Risk of code injection

high severity CVE-2021-21278
high severity CVE-2021-21278
Affected versions: <= 1.0.0

Impact

Some routes use eval or Function constructor, which may be injected by the target site with unsafe code, causing server-side security issues

Patches

Temporarily removed the problematic route and added a no-new-func rule to eslint Self-built users should upgrade to 7f1c430 and later as soon as possible

Credits

Tencent Woodpecker Security Team

For more information

If you have any questions or comments about this advisory:

Denial of Service (DoS) vulnerability in RSSHub

medium severity CVE-2022-31110
medium severity CVE-2022-31110
Affected versions: <= 1.0.0

Impact

Passing some special values to the filter and filterout parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.

Patches

It is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.

References

Full report: https://github.com/DIYgod/RSSHub/issues/10045

For more information

If you have any questions or comments about this advisory:

Credits

@Rongronggg9

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.