Module Federation: Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function #30748

techfg · 2025-04-16T03:27:25Z

Current Behavior

npm audit warns of a security vulnerability Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function:

koa  <2.16.1
Severity: moderate
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function - https://github.com/advisories/GHSA-x2rg-q646-7m2v
fix available via `npm audit fix --force`
Will install @nx/[email protected], which is a breaking change
node_modules/koa
  @module-federation/dts-plugin  <=0.11.4
  Depends on vulnerable versions of koa
  node_modules/@module-federation/dts-plugin
    @module-federation/enhanced  <=0.0.1-rc.0 || 0.1.2 - 0.11.4
    Depends on vulnerable versions of @module-federation/dts-plugin
    Depends on vulnerable versions of @module-federation/manifest
    Depends on vulnerable versions of @module-federation/rspack
    node_modules/@module-federation/enhanced
      @nx/module-federation  *
      Depends on vulnerable versions of @module-federation/enhanced
      node_modules/@nx/module-federation
        @nx/react  <=0.0.0-pr-30702-1a3e277 || >=20.2.0-beta.0
        Depends on vulnerable versions of @nx/module-federation
        node_modules/@nx/react
    @module-federation/manifest  <=0.0.0-next-20250415111630 || 0.1.3 - 0.11.4
    Depends on vulnerable versions of @module-federation/dts-plugin
    node_modules/@module-federation/manifest
      @module-federation/rspack  <=0.11.4
      Depends on vulnerable versions of @module-federation/dts-plugin
      Depends on vulnerable versions of @module-federation/manifest
      node_modules/@module-federation/rspack

Expected Behavior

@nx/module-federation should not depend on a vulnerable dependency.

GitHub Repo

https://github.com/techfg/nx-koajs-xss-repro.git

Steps to Reproduce

clone repo
npm install
npm audit

Nx Report

NX   Report complete - copy this into the issue template

Node           : 22.14.0
OS             : linux-x64
Native Target  : x86_64-linux
npm            : 10.9.2

nx                     : 20.8.0
@nx/js                 : 20.8.0
@nx/eslint             : 20.8.0
@nx/workspace          : 20.8.0
@nx/devkit             : 20.8.0
@nx/module-federation  : 20.8.0
@nx/react              : 20.8.0
@nx/vite               : 20.8.0
@nx/web                : 20.8.0
typescript             : 5.7.3
---------------------------------------
Registered Plugins:
@nx/js/typescript
@nx/react/router-plugin
@nx/vite/plugin
---------------------------------------
Cache Usage: 0.00 B / 25.09 GB

Failure Logs

Package Manager Version

npm 10.9.2

Operating System

macOS
Linux
Windows
Other (Please specify)

Additional Information

Seems to be due to @module-federation/enhanced referencing ^0.9.0 which is an outdated and unpatched version.

@module-federation/dts-plugin has been patched and was released in v0.12.0.

Related: #30502

The text was updated successfully, but these errors were encountered:

…x vulnerability closed nrwl#30502, nrwl#30748

techfg added the type: bug label Apr 16, 2025

Julien-Marcou added a commit to Julien-Marcou/nx that referenced this issue Apr 22, 2025

chore(misc): bump @module-federation/enhanced version to 0.13.0 to fi…

9768509

…x vulnerability closed nrwl#30502, nrwl#30748

Julien-Marcou linked a pull request Apr 22, 2025 that will close this issue

chore(misc): bump @module-federation/enhanced version to 0.13.0 to fix vulnerability #30806

Open

Julien-Marcou added a commit to Julien-Marcou/nx that referenced this issue Apr 22, 2025

chore(misc): bump @module-federation/enhanced version to 0.13.0 to fi…

0b360d8

…x vulnerability closed nrwl#30502, nrwl#30748

Julien-Marcou added a commit to Julien-Marcou/nx that referenced this issue Apr 23, 2025

chore(misc): bump @module-federation/enhanced version to 0.13.0 to fi…

dd43cfc

…x vulnerability closed nrwl#30502, nrwl#30748

Julien-Marcou added a commit to Julien-Marcou/nx that referenced this issue Apr 23, 2025

chore(misc): bump @module-federation/enhanced version to 0.13.0 to fi…

90b79b2

…x vulnerability closed nrwl#30502, nrwl#30748

Julien-Marcou added a commit to Julien-Marcou/nx that referenced this issue Apr 24, 2025

chore(misc): bump @module-federation/enhanced version to 0.13.0 to fi…

fa4966d

…x vulnerability closed nrwl#30502, nrwl#30748

Julien-Marcou added a commit to Julien-Marcou/nx that referenced this issue Apr 24, 2025

chore(misc): bump @module-federation/enhanced version to 0.13.0 to fi…

0aa28de

…x vulnerability closed nrwl#30502, nrwl#30748

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Module Federation: Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function #30748

Module Federation: Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function #30748

techfg commented Apr 16, 2025 •

edited

Loading

Module Federation: Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function #30748

Module Federation: Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function #30748

Comments

techfg commented Apr 16, 2025 • edited Loading

Current Behavior

Expected Behavior

GitHub Repo

Steps to Reproduce

Nx Report

Failure Logs

Package Manager Version

Operating System

Additional Information

techfg commented Apr 16, 2025 •

edited

Loading