You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions of this package are vulnerable to Remote Memory Exposure.
A potential remote memory exposure vulnerability exists in request. If a request uses a multipart attachment and the body type option is number with value X, then X bytes of uninitialized memory will be sent in the body of the request.
Note that while the impact of this vulnerability is high (memory exposure), exploiting it is likely difficult, as the attacker needs to somehow control the body type of the request. One potential exploit scenario is when a request is composed based on JSON input, including the body type, allowing a malicious JSON to trigger the memory leak.
Details
Constructing a Buffer class with integer N creates a Buffer
of length N with non zero-ed out memory. Example:
varx=newBuffer(100);// uninitialized Buffer of length 100// vsvarx=newBuffer('100');// initialized Buffer with value of '100'
Initializing a multipart body in such manner will cause uninitialized memory to be sent in the body of the request.
Proof of concept
varhttp=require('http')varrequest=require('request')http.createServer(function(req,res){vardata=''req.setEncoding('utf8')req.on('data',function(chunk){console.log('data')data+=chunk})req.on('end',function(){// this will print uninitialized memory from the clientconsole.log('Client sent:\n',data)})res.end()}).listen(8000)request({method: 'POST',uri: 'http://localhost:8000',multipart: [{body: 1000}]},function(err,res,body){if(err)returnconsole.error('upload failed:',err)console.log('sent')})
Package Name: request
Package Version: ['2.42.0']
Package Manager: npm
Target File: package.json
Severity Level: medium
Snyk ID: npm:request:20160119
Snyk CVE: CVE-2017-16026
Snyk CWE: CWE-201
Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/93ddcac2-4d2c-43e7-b383-b47b30846d11
Snyk Description: ## Overview
request is a simplified http request client.
Affected versions of this package are vulnerable to Remote Memory Exposure.
A potential remote memory exposure vulnerability exists in
request
. If arequest
uses a multipart attachment and the body type option isnumber
with value X, then X bytes of uninitialized memory will be sent in the body of the request.Note that while the impact of this vulnerability is high (memory exposure), exploiting it is likely difficult, as the attacker needs to somehow control the body type of the request. One potential exploit scenario is when a request is composed based on JSON input, including the body type, allowing a malicious JSON to trigger the memory leak.
Details
Constructing a
Buffer
class with integerN
creates aBuffer
of length
N
with non zero-ed out memory.Example:
Initializing a multipart body in such manner will cause uninitialized memory to be sent in the body of the request.
Proof of concept
Remediation
Upgrade
request
to version 2.68.0 or higher.References
Blog: Information about Buffer
Blog: Node Buffer API fix
GitHub Commit
GitHub PR
The text was updated successfully, but these errors were encountered: