

Bluebird Memory Leak Vulnerability (NPM)

WSO2 Products impacted: no

Customer actions required: no

---

REPORTED VULNERABILITY

The bluebird package has a reported memory leak when the longStackTraces() function is run with the --expose_gc flag. This can significantly increase memory usage and affect server availability ¹.

REPORTED PRODUCTS

• WSO2 API Manager : 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0

WSO2 JUSTIFICATION

Although [email protected] is included in the product pack as a transitive dependency of Stoplight UI components, it is not used at runtime in WSO2 API Manager. Therefore, this Bluebird issue ¹ does not pose a threat in the context of API-M, because Bluebird is neither loaded nor executed as part of runtime operations.

We also verified that upgrading @stoplight/elements to the latest available version (v9.0.21) does not eliminate this dependency, because Bluebird remains in its internal dependency chain ². As a result, Bluebird cannot be upgraded or removed independently without changes in the upstream library.

Therefore, the reported Bluebird vulnerability is not reachable or exploitable in the API-M runtime and does not pose a security risk.

To proactively address this concern and seek long-term clarity, we have raised the matter with the upstream maintainers of @stoplight/elements ³, requesting insight into their roadmap and any plans to remove or replace the Bluebird dependency. We will continue to monitor their response and assess any appropriate next steps.

REFERENCES

---

1. https://github.com/petkaantonov/bluebird/issues/1080 ↩↩

2. https://www.npmjs.com/package/@stoplight/elements/v/9.0.21 ↩

3. https://github.com/stoplightio/elements/issues/2858 ↩