Is localtunnel even maintained? Still has CRITICAL SECURITY VULNERABILITY (axios) from 2 years ago #724
Description
#632 2 years old issue pointing out the critical security vulnerabilit**ies** that localtunnel's axios version has: revealing confidential information on every request, enabling server-side request forgery (ssrf), and makes the server vulnerable to DoS attacks.
This affects the latest version of localtunnel (that everyone uses with npx localtunnel):
% tempdir="$(mktemp -d)" npm install localtunnel@"$(npx localtunnel --version)" --package-lock-only --prefix "$tempdir" && npm audit --prefix "$tempdir"
up to date, audited 26 packages in 1s
3 packages are looking for funding
run `npm fund` for details
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
# npm audit report
axios <=0.30.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios is vulnerable to DoS attack through lack of data size check - https://github.com/advisories/GHSA-4hjh-wcwx-xvwj
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
localtunnel >=1.9.0
Depends on vulnerable versions of axios
node_modules/localtunnel
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Severity: high
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - GHSA-jr5f-v2jv-69x6
Axios is vulnerable to DoS attack through lack of data size check - GHSA-4hjh-wcwx-xvwj