     expat 2.5.0-r1 (apk)
pkg:apk/alpine/expat@2.5.0-r1?os_name=alpine&os_version=3.18
| Affected range | <2.6.3-r0 | | Fixed version | 2.6.3-r0 | | EPSS Score | 0.09% | | EPSS Percentile | 40th percentile |
Description
| Affected range | <2.6.3-r0 | | Fixed version | 2.6.3-r0 | | EPSS Score | 0.09% | | EPSS Percentile | 40th percentile |
Description
| Affected range | <2.6.3-r0 | | Fixed version | 2.6.3-r0 | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
| Affected range | <2.6.0-r0 | | Fixed version | 2.6.0-r0 | | EPSS Score | 0.09% | | EPSS Percentile | 39th percentile |
Description
| Affected range | <2.6.0-r0 | | Fixed version | 2.6.0-r0 | | EPSS Score | 0.05% | | EPSS Percentile | 21st percentile |
Description
| Affected range | <2.6.2-r0 | | Fixed version | 2.6.2-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description |
    stdlib 1.20.10 (golang)
pkg:golang/stdlib@1.20.10
| Affected range | <1.21.11 | | Fixed version | 1.21.11 | | EPSS Score | 0.06% | | EPSS Percentile | 28th percentile |
Description
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.21.12 | | Fixed version | 1.21.12 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.
An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
| Affected range | <1.21.8 | | Fixed version | 1.21.8 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
| Affected range | <1.21.9 | | Fixed version | 1.21.9 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.
This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.
The fix sets a limit on the amount of excess header frames we will process before closing a connection.
| Affected range | <1.20.11 | | Fixed version | 1.20.11 | | EPSS Score | 0.11% | | EPSS Percentile | 46th percentile |
Description
The filepath package does not recognize paths with a ??\ prefix as special.
On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x.
Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b.
Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b.
In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name.
UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.19% | | EPSS Percentile | 56th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
| Affected range | <1.21.11 | | Fixed version | 1.21.11 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
| Affected range | <1.20.11 | | Fixed version | 1.20.11 | | EPSS Score | 0.06% | | EPSS Percentile | 26th percentile |
Description
On Windows, The IsLocal function does not correctly detect reserved device names in some cases.
Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.
With fix, IsLocal now correctly reports these names as non-local.
| Affected range | <1.20.12 | | Fixed version | 1.20.12 | | EPSS Score | 0.05% | | EPSS Percentile | 21st percentile |
Description
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.
A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
| Affected range | <1.22.7 | | Fixed version | 1.22.7 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
| Affected range | <1.21.8 | | Fixed version | 1.21.8 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
| Affected range | <1.21.8 | | Fixed version | 1.21.8 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.
This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
| Affected range | <1.21.8 | | Fixed version | 1.21.8 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.
With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
| Affected range | <1.21.8 | | Fixed version | 1.21.8 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.
A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.
|
  openssl 3.1.3-r0 (apk)
pkg:apk/alpine/openssl@3.1.3-r0?os_name=alpine&os_version=3.18
| Affected range | <3.1.6-r0 | | Fixed version | 3.1.6-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description
| Affected range | <3.1.7-r0 | | Fixed version | 3.1.7-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
| Affected range | <3.1.4-r0 | | Fixed version | 3.1.4-r0 | | EPSS Score | 0.06% | | EPSS Percentile | 29th percentile |
Description
| Affected range | <3.1.4-r3 | | Fixed version | 3.1.4-r3 | | EPSS Score | 0.06% | | EPSS Percentile | 27th percentile |
Description
| Affected range | <3.1.4-r5 | | Fixed version | 3.1.4-r5 | | EPSS Score | 0.23% | | EPSS Percentile | 61st percentile |
Description
| Affected range | <3.1.5-r0 | | Fixed version | 3.1.5-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
| Affected range | <3.1.4-r1 | | Fixed version | 3.1.4-r1 | | EPSS Score | 0.08% | | EPSS Percentile | 34th percentile |
Description
| Affected range | <3.1.7-r1 | | Fixed version | 3.1.7-r1 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
| Affected range | <3.1.6-r0 | | Fixed version | 3.1.6-r0 |
Description
| Affected range | <3.1.4-r6 | | Fixed version | 3.1.4-r6 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
| Affected range | <3.1.4-r4 | | Fixed version | 3.1.4-r4 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description |
  git 2.40.1-r0 (apk)
pkg:apk/alpine/git@2.40.1-r0?os_name=alpine&os_version=3.18
| Affected range | <2.40.3-r0 | | Fixed version | 2.40.3-r0 | | EPSS Score | 0.15% | | EPSS Percentile | 52nd percentile |
Description
| Affected range | <2.40.3-r0 | | Fixed version | 2.40.3-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
| Affected range | <2.40.3-r0 | | Fixed version | 2.40.3-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
| Affected range | <2.40.3-r0 | | Fixed version | 2.40.3-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
| Affected range | <2.40.3-r0 | | Fixed version | 2.40.3-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description |
   curl 8.4.0-r0 (apk)
pkg:apk/alpine/curl@8.4.0-r0?os_name=alpine&os_version=3.18
| Affected range | <8.7.1-r0 | | Fixed version | 8.7.1-r0 | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
| Affected range | <8.9.0-r0 | | Fixed version | 8.9.0-r0 | | EPSS Score | 0.07% | | EPSS Percentile | 31st percentile |
Description
| Affected range | <8.7.1-r0 | | Fixed version | 8.7.1-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description
| Affected range | <8.5.0-r0 | | Fixed version | 8.5.0-r0 | | EPSS Score | 0.07% | | EPSS Percentile | 32nd percentile |
Description
| Affected range | <8.6.0-r0 | | Fixed version | Not Fixed | | EPSS Score | 0.06% | | EPSS Percentile | 25th percentile |
Description
| Affected range | <8.5.0-r0 | | Fixed version | 8.5.0-r0 | | EPSS Score | 0.05% | | EPSS Percentile | 21st percentile |
Description
| Affected range | <8.9.0-r0 | | Fixed version | 8.9.0-r0 | | EPSS Score | 0.08% | | EPSS Percentile | 35th percentile |
Description
| Affected range | <8.7.1-r0 | | Fixed version | 8.7.1-r0 | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
| Affected range | <8.7.1-r0 | | Fixed version | 8.7.1-r0 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description |
 ip 2.0.0 (npm)
pkg:npm/ip@2.0.0
 Server-Side Request Forgery (SSRF)
| Affected range | <=2.0.1 | | Fixed version | Not Fixed | | CVSS Score | 8.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Description
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
 Server-Side Request Forgery (SSRF)
| Affected range | >=2.0.0
<2.0.1
| | Fixed version | 2.0.1 | | EPSS Score | 0.08% | | EPSS Percentile | 37th percentile |
Description
The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.
|
body-parser 1.20.1 (npm)
pkg:npm/body-parser@1.20.1
 Asymmetric Resource Consumption (Amplification)
| Affected range | <1.20.3 | | Fixed version | 1.20.3 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
Impact
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
|
path-to-regexp 0.1.7 (npm)
pkg:npm/path-to-regexp@0.1.7
 Inefficient Regular Expression Complexity
| Affected range | <0.1.10 | | Fixed version | 0.1.10 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Impact
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.
Patches
For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
These versions add backtrack protection when a custom regex pattern is not provided:
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.
Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.
Version 8.0.0 removes the features that can cause a ReDoS.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.
Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
References
|
golang.org/x/text 0.3.7 (golang)
pkg:golang/golang.org/x/text@0.3.7
 Missing Release of Resource after Effective Lifetime
| Affected range | <0.3.8 | | Fixed version | 0.3.8 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.24% | | EPSS Percentile | 62nd percentile |
Description
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.
Specific Go Packages Affected
golang.org/x/text/language
|
 busybox 1.36.1-r2 (apk)
pkg:apk/alpine/busybox@1.36.1-r2?os_name=alpine&os_version=3.18
| Affected range | <1.36.1-r6 | | Fixed version | 1.36.1-r6 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description
| Affected range | <1.36.1-r7 | | Fixed version | 1.36.1-r7 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description
| Affected range | <1.36.1-r7 | | Fixed version | 1.36.1-r7 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description
| Affected range | <1.36.1-r7 | | Fixed version | 1.36.1-r7 | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description |
 express 4.18.2 (npm)
pkg:npm/express@4.18.2
 Improper Validation of Syntactic Correctness of Input
| Affected range | <4.19.2 | | Fixed version | 4.19.2 | | CVSS Score | 6.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Affected range | <4.20.0 | | Fixed version | 4.20.0 | | CVSS Score | 5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code
Patches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
|
follow-redirects 1.15.3 (npm)
pkg:npm/follow-redirects@1.15.3
 Exposure of Sensitive Information to an Unauthorized Actor
| Affected range | <=1.15.5 | | Fixed version | 1.15.6 | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | | EPSS Score | 0.04% | | EPSS Percentile | 11th percentile |
Description
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
Test code:
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
follow-redirects/index.js:464
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
 Improper Input Validation
| Affected range | <1.15.4 | | Fixed version | 1.15.4 | | CVSS Score | 6.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | | EPSS Score | 0.05% | | EPSS Percentile | 21st percentile |
Description
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
|
axios 0.21.4 (npm)
pkg:npm/axios@0.21.4
 Cross-Site Request Forgery (CSRF)
| Affected range | >=0.8.1
<0.28.0
| | Fixed version | 1.6.0 | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | | EPSS Score | 0.06% | | EPSS Percentile | 29th percentile |
Description
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
|
tar 6.2.0 (npm)
pkg:npm/tar@6.2.0
 Uncontrolled Resource Consumption
| Affected range | <6.2.1 | | Fixed version | 6.2.1 | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Description:
During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside
Steps To Reproduce:
You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video
Proof Of Concept:
Here's a video show-casing the exploit:
Impact
Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources
Report resources
payload.txt
archeive.tar.gz
Note
This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago
|
tar 6.1.15 (npm)
pkg:npm/tar@6.1.15
Uncontrolled Resource Consumption
| Affected range | <6.2.1 | | Fixed version | 6.2.1 | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Description:
During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside
Steps To Reproduce:
You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video
Proof Of Concept:
Here's a video show-casing the exploit:
Impact
Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources
Report resources
payload.txt
archeive.tar.gz
Note
This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago
|
krb5 1.20.1-r1 (apk)
pkg:apk/alpine/krb5@1.20.1-r1?os_name=alpine&os_version=3.18
| Affected range | <1.20.2-r0 | | Fixed version | 1.20.2-r0 | | EPSS Score | 0.43% | | EPSS Percentile | 75th percentile |
Description |
send 0.18.0 (npm)
pkg:npm/send@0.18.0
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Affected range | <0.19.0 | | Fixed version | 0.19.0 | | CVSS Score | 5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L | | EPSS Score | 0.05% | | EPSS Percentile | 18th percentile |
Description
Impact
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
Patches
this issue is patched in send 0.19.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
|
serve-static 1.15.0 (npm)
pkg:npm/serve-static@1.15.0
 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Affected range | <1.16.0 | | Fixed version | 1.16.0 | | CVSS Score | 5 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L | | EPSS Score | 0.05% | | EPSS Percentile | 22nd percentile |
Description
Impact
passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code
Patches
this issue is patched in serve-static 1.16.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
|
jose 4.15.4 (npm)
pkg:npm/jose@4.15.4
 Uncontrolled Resource Consumption
| Affected range | >=3.0.0
<=4.15.4
| | Fixed version | 4.15.5 | | CVSS Score | 5.3 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | | EPSS Score | 0.04% | | EPSS Percentile | 14th percentile |
Description
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.
Note that as per RFC 8725 compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of jose removed support for compressed payloads entirely and is therefore NOT affected by this advisory.
Impact
Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.
Affected users
The impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.
You are NOT affected if any of the following applies to you
- Your code uses jose version v5.x where JWE Compression is not supported anymore
- Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box
- Your code does not use the JWE decryption APIs
- Your code only accepts JWEs produced by trusted sources
Patches
v2.0.7 and v4.15.5 releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the inflateRaw decryption option implementation. In v2.x it is possible to further adjust this limit via the inflateRawSyncLimit decryption option.
Workarounds
If you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header
const { zip } = jose.decodeProtectedHeader(token)
if (zip !== undefined) {
throw new Error('JWE Compression is not supported')
}
If you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.
If you have any questions or comments about this advisory please open a discussion in the project's repository
|
cookie 0.5.0 (npm)
pkg:npm/cookie@0.5.0
 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Affected range | <0.7.0 | | Fixed version | 0.7.0 | | EPSS Score | 0.04% | | EPSS Percentile | 17th percentile |
Description
Impact
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Patches
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Workarounds
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
References
|
