Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01ZnA2LTR4dzMteHFxM84AAzyU
@keystone-6/core's bundled cuid package known to be insecure
Summary
The cuid package used by @keystone-6/* and upstream dependencies is deprecated and marked as insecure by the author.
As reported by the author
Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead.
What are doing about this?
- We are waiting on Prisma to add support for
cuid2 - Alternatively, we might default to a random string ourselves
What can I do about this?
We have added a work-around for users who want to provide custom identifiers in https://github.com/keystonejs/keystone/pull/8645
What if I need a cuid?
The features marked as a security vulnerability by @paralleldrive are sometimes actually needed (as written in the README of cuid) - the problem is the inherent risks that features like this can have.
You might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by default.
This is why this security advisory has been accepted by me (@dcousens), we currently use cuid identifiers by default, and that should change.
Impact
I have accepted this security advisory on the basis that we don't need this kind of identifier typically, and the need for them should be driven by an application's requirements, not a convenient default.
Permalink: https://github.com/advisories/GHSA-5fp6-4xw3-xqq3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ZnA2LTR4dzMteHFxM84AAzyU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 11 months ago
Updated: 11 months ago
Identifiers: GHSA-5fp6-4xw3-xqq3
References:
- https://github.com/keystonejs/keystone/security/advisories/GHSA-5fp6-4xw3-xqq3
- https://github.com/keystonejs/keystone/issues/8282#issuecomment-1586019823
- https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead
- https://github.com/advisories/GHSA-5fp6-4xw3-xqq3
Blast Radius: 0.0
Affected Packages
npm:@keystone-6/core
Dependent packages: 37Dependent repositories: 133
Downloads: 114,572 last month
Affected Version Ranges: <= 5.3.1
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.3.1