dirtydishes/islandflow
1
0
Fork 0
Code Issues 2 Pull requests 4 Projects Releases Packages Wiki Activity Actions 1

[security] active CVE triage (dependencies + deployment surface) - 2026-05-23 #10

New issue
Closed
opened 2026-05-23 15:51:36 +00:00 by dirtydishes · 1 comment
dirtydishes commented 2026-05-23 15:51:36 +00:00
Owner
Copy link

Summary

Automated security triage found active unaddressed dependency CVEs affecting current islandflow lockfile versions.

Counters for this run:

  • unaddressed critical CVEs: 0
  • unaddressed medium/low CVEs: 3
  • unaddressed total CVEs: 9

This pass reviewed Bun workspace manifests/locks plus deployment/runtime definitions (oven/bun:1.3.11, clickhouse/clickhouse-server:23.8, redis:7.2, nats:2.10). The enumerated CVEs below are lockfile-confirmed. I reviewed the pinned image references, but image-level OS/package CVE expansion was not completed in this run because the local Docker daemon was unavailable.

Findings

Priority CVE Package Current Version (repo) Vulnerable Range Patched Version Published (UTC) Description
high CVE-2026-23745 tar 6.2.1 <= 7.5.2 7.5.3 2026-01-16T21:16:20Z Arbitrary file overwrite / symlink poisoning in tar extraction paths.
high CVE-2026-23950 tar 6.2.1 <= 7.5.3 7.5.4 2026-01-21T01:05:49Z Path reservation race in tar, relevant to local extraction workflows on macOS APFS.
high CVE-2026-24842 tar 6.2.1 < 7.5.7 7.5.7 2026-01-28T16:35:31Z Hardlink path traversal can create or overwrite files outside the intended extraction root.
high CVE-2026-26960 tar 6.2.1 < 7.5.8 7.5.8 2026-02-18T00:57:13Z Symlink-chain hardlink escape enables out-of-root file read/write during extraction.
high CVE-2026-29786 tar 6.2.1 <= 7.5.9 7.5.10 2026-03-05T00:52:32Z Drive-relative hardlink path traversal in tar.
high CVE-2026-31802 tar 6.2.1 <= 7.5.10 7.5.11 2026-03-10T23:44:58Z Drive-relative symlink traversal can escape the extraction directory.
moderate CVE-2026-41305 postcss 8.4.31 < 8.5.10 8.5.10 2026-04-23T23:16:11Z XSS risk when user-controlled CSS is re-stringified into HTML <style> tags.
moderate in GitHub / high in NVD CVE-2026-45736 ws 8.18.3 >= 8.0.0, < 8.20.1 8.20.1 2026-05-15T11:16:54Z websocket.close() can disclose uninitialized memory when passed a TypedArray reason.
low CVE-2025-54798 tmp 0.0.33 <= 0.2.3 0.2.4 2025-08-20 Symlink-based arbitrary temporary file or directory write via the dir parameter.

Project Impact

  • The six tar CVEs are pulled in through the Electron desktop toolchain (@electron-forge/cli, @electron-forge/core, @electron-forge/maker-zip) and primarily affect developer or packaging-time archive extraction rather than the live Bun services.
  • ws affects the runtime ingest services that use WebSocket connections (services/ingest-equities, services/ingest-news, services/ingest-options).
  • postcss affects the Next.js web build chain.
  • tmp is transitive through the desktop packaging toolchain.

Recommended Remediation

  1. Upgrade the Electron forge / rebuild chain until tar resolves to at least 7.5.11 and tmp resolves to at least 0.2.4.
  2. Upgrade ws to at least 8.20.1.
  3. Upgrade the Next.js dependency chain so postcss resolves to at least 8.5.10.
  4. Rebuild the desktop app, web app, and affected services after dependency bumps.

Notes

  • No separate CVE issue was opened in this run because this repository already had an open security tracking issue for the same active set.
  • Runtime image definitions were reviewed, but image-package enumeration needs a working Docker daemon or another image scanner to produce defensible CVE claims.

References

## Summary Automated security triage found active unaddressed dependency CVEs affecting current `islandflow` lockfile versions. Counters for this run: - `unaddressed critical CVEs: 0` - `unaddressed medium/low CVEs: 3` - `unaddressed total CVEs: 9` This pass reviewed Bun workspace manifests/locks plus deployment/runtime definitions (`oven/bun:1.3.11`, `clickhouse/clickhouse-server:23.8`, `redis:7.2`, `nats:2.10`). The enumerated CVEs below are lockfile-confirmed. I reviewed the pinned image references, but image-level OS/package CVE expansion was not completed in this run because the local Docker daemon was unavailable. ## Findings | Priority | CVE | Package | Current Version (repo) | Vulnerable Range | Patched Version | Published (UTC) | Description | |---|---|---|---|---|---|---|---| | high | [CVE-2026-23745](https://nvd.nist.gov/vuln/detail/CVE-2026-23745) | tar | 6.2.1 | <= 7.5.2 | 7.5.3 | 2026-01-16T21:16:20Z | Arbitrary file overwrite / symlink poisoning in `tar` extraction paths. | | high | [CVE-2026-23950](https://nvd.nist.gov/vuln/detail/CVE-2026-23950) | tar | 6.2.1 | <= 7.5.3 | 7.5.4 | 2026-01-21T01:05:49Z | Path reservation race in `tar`, relevant to local extraction workflows on macOS APFS. | | high | [CVE-2026-24842](https://nvd.nist.gov/vuln/detail/CVE-2026-24842) | tar | 6.2.1 | < 7.5.7 | 7.5.7 | 2026-01-28T16:35:31Z | Hardlink path traversal can create or overwrite files outside the intended extraction root. | | high | [CVE-2026-26960](https://nvd.nist.gov/vuln/detail/CVE-2026-26960) | tar | 6.2.1 | < 7.5.8 | 7.5.8 | 2026-02-18T00:57:13Z | Symlink-chain hardlink escape enables out-of-root file read/write during extraction. | | high | [CVE-2026-29786](https://nvd.nist.gov/vuln/detail/CVE-2026-29786) | tar | 6.2.1 | <= 7.5.9 | 7.5.10 | 2026-03-05T00:52:32Z | Drive-relative hardlink path traversal in `tar`. | | high | [CVE-2026-31802](https://nvd.nist.gov/vuln/detail/CVE-2026-31802) | tar | 6.2.1 | <= 7.5.10 | 7.5.11 | 2026-03-10T23:44:58Z | Drive-relative symlink traversal can escape the extraction directory. | | moderate | [CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) | postcss | 8.4.31 | < 8.5.10 | 8.5.10 | 2026-04-23T23:16:11Z | XSS risk when user-controlled CSS is re-stringified into HTML `<style>` tags. | | moderate in GitHub / high in NVD | [CVE-2026-45736](https://nvd.nist.gov/vuln/detail/CVE-2026-45736) | ws | 8.18.3 | >= 8.0.0, < 8.20.1 | 8.20.1 | 2026-05-15T11:16:54Z | `websocket.close()` can disclose uninitialized memory when passed a TypedArray reason. | | low | [CVE-2025-54798](https://advisories.gitlab.com/npm/tmp/CVE-2025-54798/) | tmp | 0.0.33 | <= 0.2.3 | 0.2.4 | 2025-08-20 | Symlink-based arbitrary temporary file or directory write via the `dir` parameter. | ## Project Impact - The six `tar` CVEs are pulled in through the Electron desktop toolchain (`@electron-forge/cli`, `@electron-forge/core`, `@electron-forge/maker-zip`) and primarily affect developer or packaging-time archive extraction rather than the live Bun services. - `ws` affects the runtime ingest services that use WebSocket connections (`services/ingest-equities`, `services/ingest-news`, `services/ingest-options`). - `postcss` affects the Next.js web build chain. - `tmp` is transitive through the desktop packaging toolchain. ## Recommended Remediation 1. Upgrade the Electron forge / rebuild chain until `tar` resolves to at least `7.5.11` and `tmp` resolves to at least `0.2.4`. 2. Upgrade `ws` to at least `8.20.1`. 3. Upgrade the Next.js dependency chain so `postcss` resolves to at least `8.5.10`. 4. Rebuild the desktop app, web app, and affected services after dependency bumps. ## Notes - No separate CVE issue was opened in this run because this repository already had an open security tracking issue for the same active set. - Runtime image definitions were reviewed, but image-package enumeration needs a working Docker daemon or another image scanner to produce defensible CVE claims. ## References - `bun audit` - [NVD: CVE-2026-31802](https://nvd.nist.gov/vuln/detail/CVE-2026-31802) - [NVD: CVE-2026-45736](https://nvd.nist.gov/vuln/detail/CVE-2026-45736) - [NVD: CVE-2026-41305](https://nvd.nist.gov/vuln/detail/CVE-2026-41305) - [GitLab advisory mirror: CVE-2025-54798](https://advisories.gitlab.com/npm/tmp/CVE-2025-54798/)
dirtydishes changed title from [security] medium/high CVE triage (dependencies + deployment surface) - 2026-05-23 to [security] active CVE triage (dependencies + deployment surface) - 2026-05-23 2026-05-23 16:00:43 +00:00
dirtydishes commented 2026-05-23 20:33:41 +00:00
Author
Owner
Copy link

genuinely shameful.

  • 6 high-severity
  • 2 medium-severity
  • 1 low-severity

9 CVEs were running live for weeks to months, completely unnoticed. not that i checked... i was gonna get to it i swear lol (ig this is that) - git gud mf jesus

and this was just updating dependencies, the very start - the absolute lowest hanging fruit.

at least the whole server won't get pwn'd... again...

i hope.

fixed in 8464287c0c

live on prod as of this AM

genuinely shameful. * 6 high-severity * 2 medium-severity * 1 low-severity **9 CVEs were running live for weeks to months, completely unnoticed. not that i checked... i was gonna get to it i swear lol (ig this is that) - git gud mf jesus** and this was just updating dependencies, the very start - the absolute lowest hanging fruit. at least the whole server won't get pwn'd... **again...** **_i hope._** fixed in https://git.deltaisland.io/dirtydishes/islandflow/commit/8464287c0c5e9d34fce9f7c00f2567ad2ed59648 live on prod as of this AM
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
impeccable-live
lavender/address-cve-tmp@0.2.5
lavender/fix-pr-17-ci-errors
lavender/docs-pages
lavender/add-anatomy-reference-page
lavender/clarify-diffs-ssr-docs
lavender/all-quiet
frontend-redesign
lavender/options-tape-retention-bugs
lavender/forgejo-ci-baseline
sidebar-redesign
stabilize-live-api-memory
lavender/signal-only-option-persistence
server-load
lavender/codex-login-management-electron
lavender/flow-packet-persistence
alpaca-news
deployment-patch
nextjs-upgrade
newswire-support
native-deploy
codex/investigate-deploy-main-slowdown
codex/daily-bug-scan-20260518
lavender/load-alert-context-from-clickhouse
chore/deploy-allowlist-pr-packaging
codex/load-alert-context-from-clickhouse
lavender/polish-terminal-view
automation/daily-bug-scan-2026-05-17
__dolt_remote_info__
options-cache
deployment-overhaul
impeccable
synthetic-prints-done-right
electron
jetstream-retention-caps
codex/remove-deprecated-npm-deployment-path
deployment-fix
load-reduction
live-clickhouse-scrollgate
smart-money-classifiers
frontend-kitchen
t3code/fix-live-feed-lag
t3code/expand-options-tape-display
feature/live-retention
t3code/white-island-logo
frontend-experiments
revert-17-frontend-experiments
codex/update-readme.md-with-changes
lavender/frontend-refactor-bbg
lavender/frontend-refactor
codex/update-readme.md-with-recent-changes
codex/implement-candle-aggregation-service
codex/document-environment-configuration-thoroughly
codex/update-default-ingest-adapter-to-synthetic
bbg-test
codex/update-colors-to-use-custom-properties
codex/add-theme-context-and-dropdown
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: dirtydishes/islandflow#10
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?