Help

Security vulnerability in acorn library (bundled with Blocks SDK)

Topic Labels: Custom Extensions
3260 2
cancel
Showing results for 
Search instead for 
Did you mean: 
Tommy_Chan
5 - Automation Enthusiast
5 - Automation Enthusiast

Currently the Blocks SDK creates the deps for the acorn library which has a security vulnerability:

Upgrade acorn to version 7.1.1 or later. For example:

“dependencies”: { “acorn”: “>=7.1.1” }

or…

“devDependencies”: { “acorn”: “>=7.1.1” }

Always verify the validity and compatibility of suggestions with your codebase.

Details

GHSA-6chw-6frg-f759

moderate severity

Vulnerable versions: >= 7.0.0, < 7.1.1

Patched version: 7.1.1

Affected versions of acorn are vulnerable to Regular Expression Denial of Service.
A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop.
The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.
If an application processes untrusted input and passes it directly to acorn,
attackers may leverage the vulnerability leading to Denial of Service.

The solution is to upgrade the Blocks SDK to use a newer version of acorn.

2 Replies 2
Tommy_Chan
5 - Automation Enthusiast
5 - Automation Enthusiast

I’m currently on 0.0.53 btw

Mike_Pennisi
7 - App Architect
7 - App Architect

If an application processes untrusted input and passes it directly to acorn,

This does not apply to applications built on the Airtable Block platform.