XSS Vulneravility in cookie dependence. CVE-2024-47764

[henri-dpd]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Not applicable

Amplify Version

v5

Amplify Categories

Not applicable

Backend

Amplify CLI

Environment information

# Put output below this line
System:
OS: Windows 11 10.0.22631
CPU: (8) x64 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz
Memory: 16.03 GB / 31.65 GB
Binaries:
Node: 20.11.0 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.21 - C:\Program Files\nodejs\yarn.CMD
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
pnpm: 8.15.5 - C:\Program Files\nodejs\pnpm.CMD
Browsers:
Edge: Chromium (128.0.2739.42)
Internet Explorer: 11.0.22621.3527
npmPackages:
@aws-amplify/geo: ^2.3.4 => 2.3.13
@aws-amplify/ui-react-geo: ^1.0.2 => 1.0.2
@aws-sdk/client-cognito-identity-provider: ^3.609.0 => 3.682.0
@aws-sdk/client-location: ^3.609.0 => 3.682.0 (3.186.4)
@babel/core: ^7.21.0 => 7.26.0
@babel/preset-env: ^7.20.2 => 7.20.2
@babel/preset-react: ^7.18.6 => 7.18.6
@babel/preset-typescript: ^7.21.0 => 7.21.0
@commitlint/cli: ^17.4.4 => 17.4.4
@commitlint/config-conventional: ^17.4.4 => 17.4.4
@commitlint/cz-commitlint: ^17.4.4 => 17.4.4
@cypress/angular:  0.0.0-development
@cypress/mount-utils:  0.0.0-development
@cypress/react:  0.0.0-development
@cypress/react18:  0.0.0-development
@cypress/svelte:  0.0.0-development
@cypress/vue:  0.0.0-development
@cypress/vue2:  0.0.0-development
@emotion/babel-plugin: ^11.10.6 => 11.11.0
@emotion/cache: ^11.11.0 => 11.11.0
@emotion/react: ^11.11.4 => 11.11.4
@emotion/styled: ^11.11.5 => 11.11.5
@hookform/error-message: ^2.0.1 => 2.0.1
@hookform/resolvers: ^2.9.11 => 2.9.11
@hookform/resolvers/ajv:  1.0.0
@hookform/resolvers/class-validator:  1.0.0
@hookform/resolvers/computed-types:  1.0.0
@hookform/resolvers/io-ts:  1.0.0
@hookform/resolvers/joi:  1.0.0
@hookform/resolvers/nope:  1.0.0
@hookform/resolvers/superstruct:  1.0.0
@hookform/resolvers/typanion:  1.0.0
@hookform/resolvers/vest:  1.0.0
@hookform/resolvers/yup:  1.0.0
@hookform/resolvers/zod:  1.0.0
@mui/icons-material: ^5.11.11 => 5.11.11
@mui/material: ^5.15.20 => 5.15.20
@mui/x-date-pickers: ^6.16.3 => 6.17.0
@testing-library/jest-dom: ^5.16.5 => 5.16.5
@testing-library/react: ^14.0.0 => 14.0.0
@types/node: ^18.14.2 => 18.15.0 (20.12.7, 16.18.101)
@types/react: ^18.0.28 => 18.3.3
@types/react-dom: ^18.0.11 => 18.0.11
@types/react-helmet: ^6.1.8 => 6.1.8
@types/react-input-mask: 2.0.4 => 2.0.4
@types/testing-library__jest-dom: ^5.14.5 => 5.14.5
@types/uuid: ^9.0.1 => 9.0.1
@typescript-eslint/eslint-plugin: ^5.54.0 => 5.54.1
@typescript-eslint/parser: ^5.54.0 => 5.54.1
@vitejs/plugin-basic-ssl: ^1.0.1 => 1.0.1
@vitejs/plugin-react: ^4.2.1 => 4.3.3
@vitest/coverage-c8: ^0.30.1 => 0.30.1
@vitest/coverage-istanbul: ^0.29.2 => 0.29.2
@vitest/ui: ^0.29.1 => 0.29.2
autoprefixer: ^10.4.13 => 10.4.14
aws-amplify: ^5.3.10 => 5.3.21
axios: ^1.3.4 => 1.7.5
commitizen: ^4.3.0 => 4.3.0
cypress: ^12.16.0 => 12.17.4
dayjs: ^1.11.7 => 1.11.7 (1.11.8)
dotenv: ^16.3.1 => 16.3.1
eslint: ^8.35.0 => 8.36.0
eslint-config-prettier: ^8.6.0 => 8.7.0
eslint-plugin-jsx-a11y: ^6.7.1 => 6.7.1
eslint-plugin-prettier: ^4.2.1 => 4.2.1
eslint-plugin-react: ^7.32.2 => 7.32.2
eslint-plugin-react-hooks: ^4.6.0 => 4.6.0
eslint-plugin-unused-imports: ^2.0.0 => 2.0.0
geolib: ^3.3.4 => 3.3.4
happy-dom: ^8.9.0 => 8.9.0
husky: ^8.0.3 => 8.0.3
iconsax-react: ^0.0.8 => 0.0.8
jsdom: ^21.1.1 => 21.1.1
lint-staged: ^13.2.0 => 13.2.0
prettier: 2.8.4 => 2.8.4
react: ^18.2.0 => 18.2.0
react-dom: ^18.2.0 => 18.2.0
react-helmet: ^6.1.0 => 6.1.0
react-hook-form: ^7.43.5 => 7.43.5
react-image: ^4.1.0 => 4.1.0
react-input-mask: ^2.0.4 => 2.0.4
react-intl: ^6.2.10 => 6.2.10
react-markdown: ^9.0.0 => 9.0.0
react-router-dom: ^6.9.0 => 6.9.0
react-spring: ^9.7.1 => 9.7.1
rehype-raw: ^7.0.0 => 7.0.0
rxjs: ^7.8.0 => 7.8.0 (7.8.1)
rxjs/ajax:  undefined ()
rxjs/fetch:  undefined ()
rxjs/operators:  undefined ()
rxjs/testing:  undefined ()
rxjs/webSocket:  undefined ()
typescript: ^4.9.5 => 4.9.5
use-async-memo: ^1.2.5 => 1.2.5
uuid: ^9.0.0 => 9.0.1 (3.4.0, 8.3.2)
vite: ^4.3.9 => 4.5.3
vite-plugin-checker: ^0.6.0 => 0.6.4
vite-plugin-svgr: ^2.4.0 => 2.4.0
vite-tsconfig-paths: ^4.0.5 => 4.0.5
vitest: ^0.30.1 => 0.30.1
yup: ^1.0.2 => 1.0.2
npmGlobalPackages:
@aws-amplify/cli: 12.13.0
commitizen: 4.3.0
corepack: 0.23.0
npm: 10.2.4
pnpm: 8.15.5
sonarqube-scanner: 4.0.1
yarn: 1.22.21

Describe the bug

Currently aws-amplify v5 uses "universal-cookie": "^4.0.4" library, but this version has a Cross-site Scripting vulnerability CVE-2024-47764, because it has "cookie": "^0.4.2" library as a dependency

Expected behavior

There is necessary to upgrade universal-cookie library at least to version ^7.2.1 because this version uses "cookie": "^0.7.2"

Reproduction steps

1. Install aws-amplify version 5: npm i aws-amplify@5
2. Notice on the file package-lock.json. There is a dependency called cookie, it has the version ^0.4.2, this library is dependence of universal-cookie witch has version ^4.0.4 and also is a dependence of aws-amplify/core

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

CVE-2024-47764

[cwomack]

Hello, @henri-dpd 👋 and thank you for opening this issue. We're looking into this and will follow up with additional comments/questions when we can.

[cwomack]

@henri-dpd, we just released v5.3.26 to address this issue and upgrade the version of the universal-cookie dependency. Would you please upgrade and confirm this is resolved? Thanks!

[henri-dpd]

@cwomack It was resolved. Thank you

[cwomack]

Thanks fro the confirmation, @henri-dpd. We'll close this issue out as resolved then and appreciate you reporting this!