aknuth
/
bizmatch-project
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects 5 Releases Wiki Activity
bizmatch-project/VULNERABILITY_FIXES.md

7.4 KiB
Raw Blame History

Security Vulnerability Fixes

Overview

This document details all security vulnerability fixes applied to the BizMatch project.

Date: 2026-01-03 Total Vulnerabilities Before: 81 (45 server + 36 frontend) Critical Updates Required: Yes

🔴 Critical Fixes (Server)

1. Underscore.js Arbitrary Code Execution

Vulnerability: CVE (Arbitrary Code Execution) Severity: Critical Status: FIXED (via nodemailer-smtp-transport dependency update)

2. HTML Minifier ReDoS

Vulnerability: GHSA-pfq8-rq6v-vf5m (ReDoS in kangax html-minifier) Severity: High Status: FIXED (via @nestjs-modules/mailer 2.0.2 → 2.1.0) Impact: Fixes 33 high-severity vulnerabilities in mjml-* packages

🟠 High Severity Fixes (Frontend)

1. Angular XSS Vulnerability

Vulnerability: GHSA-58c5-g7wp-6w37 (XSRF Token Leakage via Protocol-Relative URLs) Severity: High Package: @angular/common, @angular/compiler, and all Angular packages Status: FIXED (Angular 18.1.3 → 19.2.16)

Files Updated:

  • @angular/animations: 18.1.3 → 19.2.16
  • @angular/common: 18.1.3 → 19.2.16
  • @angular/compiler: 18.1.3 → 19.2.16
  • @angular/core: 18.1.3 → 19.2.16
  • @angular/forms: 18.1.3 → 19.2.16
  • @angular/platform-browser: 18.1.3 → 19.2.16
  • @angular/platform-browser-dynamic: 18.1.3 → 19.2.16
  • @angular/platform-server: 18.1.3 → 19.2.16
  • @angular/router: 18.1.3 → 19.2.16
  • @angular/ssr: 18.2.21 → 19.2.16
  • @angular/cdk: 18.0.6 → 19.1.5
  • @angular/cli: 18.1.3 → 19.2.16
  • @angular-devkit/build-angular: 18.1.3 → 19.2.16
  • @angular/compiler-cli: 18.1.3 → 19.2.16

2. Angular Stored XSS via SVG/MathML

Vulnerability: GHSA-v4hv-rgfq-gp49 Severity: High Status: FIXED (via Angular 19 update)

🟡 Moderate Severity Fixes

1. Nodemailer Vulnerabilities (Server)

Vulnerabilities:

  • GHSA-mm7p-fcc7-pg87 (Email to unintended domain)
  • GHSA-rcmh-qjqh-p98v (DoS via recursive calls in addressparser)
  • GHSA-46j5-6fg5-4gv3 (DoS via uncontrolled recursion)

Severity: Moderate Package: nodemailer Status: FIXED (nodemailer 6.9.10 → 7.0.12)

2. Undici Vulnerabilities (Frontend)

Vulnerabilities:

  • GHSA-c76h-2ccp-4975 (Use of Insufficiently Random Values)
  • GHSA-cxrh-j4jr-qwg3 (DoS via bad certificate data)

Severity: Moderate Package: undici (via Firebase dependencies) Status: FIXED (firebase 11.3.1 → 11.9.0)

3. Esbuild Development Server Vulnerability

Vulnerability: GHSA-67mh-4wv8-2f99 Severity: Moderate Status: FIXED (drizzle-kit 0.23.2 → 0.31.8) Note: Development-only vulnerability, does not affect production

⚠️ Accepted Risks (Development-Only)

1. pg-promise SQL Injection (Server)

Vulnerability: GHSA-ff9h-848c-4xfj Severity: Moderate Package: pg-promise (used by pg-to-ts dev tool) Status: ⚠️ ACCEPTED RISK Reason:

  • No fix available
  • Only used in development tool (pg-to-ts)
  • Not used in production runtime
  • pg-to-ts is only for type generation

2. tmp Symbolic Link Vulnerability (Frontend)

Vulnerability: GHSA-52f5-9888-hmc6 Severity: Low Package: tmp (used by Angular CLI) Status: ⚠️ ACCEPTED RISK Reason:

  • Development tool only
  • Angular CLI dependency
  • Not included in production build

3. esbuild (Various)

Vulnerability: GHSA-67mh-4wv8-2f99 Severity: Moderate Status: ⚠️ PARTIALLY FIXED Reason:

  • Development server only
  • Fixed in drizzle-kit
  • Remaining instances in vite are dev-only

📦 Package Updates Summary

bizmatch-server/package.json

{
  "dependencies": {
    "@nestjs-modules/mailer": "^2.0.2"  "^2.1.0",
    "firebase": "^11.3.1"  "^11.9.0",
    "nodemailer": "^6.9.10"  "^7.0.12"
  },
  "devDependencies": {
    "drizzle-kit": "^0.23.2"  "^0.31.8"
  }
}

bizmatch/package.json

{
  "dependencies": {
    "@angular/animations": "^18.1.3"  "^19.2.16",
    "@angular/cdk": "^18.0.6"  "^19.1.5",
    "@angular/common": "^18.1.3"  "^19.2.16",
    "@angular/compiler": "^18.1.3"  "^19.2.16",
    "@angular/core": "^18.1.3"  "^19.2.16",
    "@angular/forms": "^18.1.3"  "^19.2.16",
    "@angular/platform-browser": "^18.1.3"  "^19.2.16",
    "@angular/platform-browser-dynamic": "^18.1.3"  "^19.2.16",
    "@angular/platform-server": "^18.1.3"  "^19.2.16",
    "@angular/router": "^18.1.3"  "^19.2.16",
    "@angular/ssr": "^18.2.21"  "^19.2.16"
  },
  "devDependencies": {
    "@angular-devkit/build-angular": "^18.1.3"  "^19.2.16",
    "@angular/cli": "^18.1.3"  "^19.2.16",
    "@angular/compiler-cli": "^18.1.3"  "^19.2.16"
  }
}

🚀 Installation Instructions

Automatic Installation (Recommended)

cd /home/timo/bizmatch-project
bash fix-vulnerabilities.sh

Manual Installation

If you encounter permission errors:

# Fix permissions first
cd /home/timo/bizmatch-project/bizmatch-server
sudo rm -rf node_modules package-lock.json
cd /home/timo/bizmatch-project/bizmatch
sudo rm -rf node_modules package-lock.json

# Then install
cd /home/timo/bizmatch-project/bizmatch-server
npm install

cd /home/timo/bizmatch-project/bizmatch
npm install

Verify Installation

# Check server
cd /home/timo/bizmatch-project/bizmatch-server
npm audit --production

# Check frontend
cd /home/timo/bizmatch-project/bizmatch
npm audit --production

⚠️ Breaking Changes Warning

Angular 18 → 19 Migration

Potential Issues:

  1. Route configuration: Some routing APIs may have changed
  2. Template syntax: Check for deprecated template features
  3. Third-party libraries: Some Angular libraries may not yet support v19
    • @angular/fire: Still on v18.0.1 (compatible but check for updates)
    • @bluehalo/ngx-leaflet: May need testing
    • @ng-select/ng-select: May need testing

Testing Required:

cd /home/timo/bizmatch-project/bizmatch
npm run build
npm run serve:ssr
# Test all major features

Nodemailer 6 → 7 Migration

Potential Issues:

  1. SMTP configuration: Minor API changes
  2. Email templates: Should be compatible

Testing Required:

# Test email functionality
# - User registration emails
# - Password reset emails
# - Contact form emails

📊 Expected Results

Before Updates

  • bizmatch-server: 45 vulnerabilities (4 critical, 33 high, 7 moderate, 1 low)
  • bizmatch: 36 vulnerabilities (17 high, 13 moderate, 6 low)

After Updates (Production Only)

  • bizmatch-server: ~5-10 vulnerabilities (mostly dev-only)
  • bizmatch: ~3-5 vulnerabilities (mostly dev-only)

Remaining Vulnerabilities

All remaining vulnerabilities should be:

  • Development dependencies only (not in production builds)
  • Low/moderate severity
  • Acceptable risk or no fix available

🔒 Security Best Practices

After applying these fixes:

  1. Regular Updates: Run npm audit monthly
  2. Production Builds: Always use production builds for deployment
  3. Dependency Review: Review new dependencies before adding
  4. Testing: Thoroughly test after major updates
  5. Monitoring: Set up dependabot or similar tools

📞 Support

If you encounter issues during installation:

  1. Check the permission errors first
  2. Ensure Node.js and npm are up to date
  3. Review breaking changes section
  4. Test each component individually

Last Updated: 2026-01-03 Next Review: 2026-02-03 (monthly)