Is there any fix available for Dicer vulnerability with Firebase admin?

Question

I am trying to deploy my Firebase app using GitHub actions. I am running below commands for the same:

1. npm install
2. npm audit fix
3. npm install [email protected]

It was working perfect till 10 days back now suddenly I am getting below issue:

Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dicer
  firebase-admin  >=7.1.0
  Depends on vulnerable versions of dicer
  node_modules/firebase-admin
    firebase-functions  >=3.0.0
    Depends on vulnerable versions of firebase-admin
    node_modules/firebase-functions

I saw that there is issue going on with Dicer but as it's a dependency with firebase-admin there is no way to skip this. I want to do urgent production deployment - how can I remove this blocker?

Answer 1

The issue needs to be resolved by the team maintaining the sdk. That being said, in spite of being listed as high severity, the use case for dicer in the SDK renders the risk profile low unless you are using dicer in your own code:

Here's the relevant issue on GitHub On of the maintainers explains the issue as follows:

The Admin Node.js SDK uses dicer to parse multipart responses from Firebase and GCP backend servers. IIUC the threat introduced by the vulnerability in dicer is pretty low here as we can trust the responses from the BE servers. However, if you are using the dicer package to parse responses in your own code then you might be at a higher risk. Having said that, we are looking into the fixes mentioned in #1512 and the potential to use the fixed version of dicer in Admin SDK. I will use this issue to update the progress.