BUG: Critical Security Vulnerabilities in Dependencies (multer, pdfjs-dist, esbuild, undici)

[MontessoriVisualization]

Title:
🐛 Critical Security Vulnerabilities in Dependencies (multer, pdfjs-dist, esbuild, undici)

---

Summary

The project currently contains multiple high and critical severity security vulnerabilities in core npm dependencies. These issues affect file uploads, PDF rendering, development server security, and network requests, and require immediate attention.

---

🔴 1. Multer v1.x — File Upload Vulnerabilities (Highest Priority)

• Severity: HIGH

• Package: multer@1.4.5-lts.2

• Location: Server dependencies

• Status: ❌ Vulnerable

Issue

Multer v1.x contains multiple known vulnerabilities that are patched in v2.x. These could allow attackers to exploit the file upload system.

Impact

• Unauthorized file uploads

• Directory traversal

• Denial of Service via crafted file uploads

✅ Recommended Fix

cd server
npm install multer@2
npm test

---

🔴 2. pdfjs-dist — Arbitrary JavaScript Execution (Critical)

• Severity: HIGH

• Package: pdfjs-dist@<=4.1.392 (via react-pdf)

• Location: Client dependencies

• Vulnerability ID: GHSA-wgrm-67xf-hhpq

• Status: ❌ Vulnerable

Issue

PDF.js allows arbitrary JavaScript execution when opening malicious PDF files.

Impact

• Arbitrary code execution in the browser

• Session hijacking

• Data theft

• XSS via malicious PDFs

✅ Recommended Fix

cd client
npm install react-pdf@10.2.0 pdfjs-dist@4.3.136
npm test

---

🟡 3. esbuild — Development Server Security Bypass

• Severity: MODERATE

• Package: esbuild@<=0.24.2 (via vite)

• Location: Client build tool

• Vulnerability ID: GHSA-67mh-4wv8-2f99

• Status: ❌ Vulnerable

Issue

Any website can send requests to the dev server and read responses.

Impact

• Exposure of environment variables

• Cross-origin data leaks during development

✅ Recommended Fix

cd client
npm install vite@7.2.7
npm audit fix

---

🟡 4. undici — Network Request Vulnerabilities (Firebase)

• Severity: MODERATE

• Package: undici@6.0.0 – 6.21.1

• Location: Firebase (transitive dependency)

• Vulnerability IDs:

  • GHSA-c76h-2ccp-4975

  • GHSA-cxrh-j4jr-qwg3

• Status: ⚠️ Requires Firebase update

Impact

• Weak randomness in security operations

• Potential DoS via malformed certificates

• Network request interception risk

---

📊 Vulnerability Summary

Package | Severity | Fix Available -- | -- | -- multer | HIGH | ✅ Yes (v2) pdfjs-dist | HIGH | ✅ Yes (v4.3.136+) esbuild | MODERATE | ✅ Yes (vite v7.2.7+) undici | MODERATE | ⏳ Pending Firebase

---

🧪 Current Audit Report

Server

• Before: 14 vulnerabilities (11 moderate, 3 high)

• After fixes: 2 remaining (Firebase-related)

Client

• Before: 27 vulnerabilities
  (1 low, 18 moderate, 7 high, 1 critical)

• After fixes: 10 remaining (--force, Firebase-related)

---

✅ Recommended Action Plan

Phase 1 — Immediate

• Upgrade multer to v2

• Upgrade react-pdf and pdfjs-dist

Phase 2 — This Sprint

• Upgrade vite / esbuild

• Retest dev server security

---

✅ Testing Checklist

• Server starts without errors: npm run dev

• All tests pass: npm test

• File upload works correctly

• PDF viewing works correctly

• Client builds successfully: npm run build

• npm audit shows reduced vulnerabilities

---

🔗 References

• Multer Security Advisories

• PDF.js Vulnerability GHSA-wgrm-67xf-hhpq

• esbuild Advisory GHSA-67mh-4wv8-2f99

• undici Advisories (GHSA-c76h-2ccp-4975, GHSA-cxrh-j4jr-qwg3)

[github-actions]

Congratulations, @MontessoriVisualization! 🎉 Thank you for creating your issue. Your contribution is greatly appreciated and we look forward to working with you to resolve the issue. Keep up the great work!

We will promptly review your changes and offer feedback. Keep up the excellent work! Kindly remember to check our contributing guidelines

[hereisSwapnil]

@MontessoriVisualization Do you want to work on this issue ?

[MontessoriVisualization]

ok I'm down with that