There has been a lot of talk about CVEs in OS packages and many of them have been fixed over time through updates. But there is a much bigger issue that has not been getting any attention and it was introduced with Unraid 7. The Unraid API.
This API is now running in the background on every Unraid server by default. It is not optional and it is deeply integrated into the system. It handles the web dashboards, authentication, system updates, communication with Unraid services and mobile apps. It also decides who can make destructive requests to your Unraid system, like maybe wiping out your entire array.
Running Google's own OSV-Scanner (Open Source Vulnerabilities Scanner) against Unraid API's 25.000 lines lockfile, the manifest defining all the 2542 dependencies used to build the API, reveals the following result:
./osv-scanner_linux_amd64 scan --lockfile ./pnpm-lock.yaml
Starting filesystem walk for root: /
Scanned /root/pnpm-lock.yaml file and found 2542 packages
End status: 0 dirs visited, 1 inodes visited, 1 Extract calls, 179.556705ms elapsed, 179.556969ms wall time
Total 81 packages affected by 195 known vulnerabilities (10 Critical, 98 High, 71 Medium, 15 Low, 1 Unknown) from 1 ecosystem.
195 known vulnerabilities (10 Critical, 98 High, 71 Medium, 15 Low, 1 Unknown)
^(Reproduce this by downloading) ^(https://github.com/google/osv-scanner) ^(and running it against) ^(https://github.com/unraid/api/blob/main/pnpm-lock.yaml) ^(using) ^(./osv-scanner_linux_amd64 scan --lockfile ./pnpm-lock.yaml) ^(- see the results for yourself.)
This is not something that gets fixed by updating a single package. It reflects the size and complexity of the dependency chain that is now part of every Unraid system by default. Supply-chain issues are real and affect us where we don't expect them.