GHSA-86wf-436m-h424

Source

https://github.com/advisories/GHSA-86wf-436m-h424

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-86wf-436m-h424/GHSA-86wf-436m-h424.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-86wf-436m-h424

Aliases

CVE-2019-10196

Published

2022-01-06T20:30:13Z

Modified

2023-11-08T04:00:42.433382Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Resource Exhaustion Denial of Service in http-proxy-agent

Details

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

Database specific

{
    "nvd_published_at": "2021-03-19T20:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-665"
    ],
    "github_reviewed_at": "2021-03-22T22:28:09Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / http-proxy-agent

Package

Name: http-proxy-agent; View open source insights on deps.dev
Purl: pkg:npm/http-proxy-agent

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-86wf-436m-h424/GHSA-86wf-436m-h424.json"