Description
The import-in-the-middle loader used by @opentelemetry/instrumentation works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an import() function.
Recommendation
Update the @opentelemetry/instrumentation package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.40.0, < 0.41.2
- Patched version(s): 0.41.2
References
Related Issues
- Authorization Bypass Through User-Controlled Key in urijs - CVE-2022-0613
- Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation - CVE-2019-11004
- method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header - CVE-2017-16136
- Authorization Bypass Through User-Controlled Key in url-parse - CVE-2022-0686
- Tags:
- npm
- @opentelemetry/instrumentation
Anything's wrong? Let us know Last updated on August 18, 2023