GHSA-r5w7-f542-q2j4

Suggest an improvement
Source
https://github.com/advisories/GHSA-r5w7-f542-q2j4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-r5w7-f542-q2j4/GHSA-r5w7-f542-q2j4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r5w7-f542-q2j4
Published
2025-01-28T20:37:26Z
Modified
2025-01-28T20:37:49Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Potential DoS when using ContextLines integration
Details

Impact

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events.

The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS).

The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs that run in Node.js environments (@sentry/astro, @sentry/aws-serverless, @sentry/bun, @sentry/google-cloud-serverless, @sentry/nestjs, @sentry/nextjs, @sentry/nuxt, @sentry/remix, @sentry/solidstart, @sentry/sveltekit).

Patches

Users should upgrade to version 8.49.0 or higher.

Workarounds

To remediate this issue in affected versions without upgrading to version 8.49.0 and above you can disable the ContextLines integration. See the docs for more details.

Sentry.init({
  // ...
  integrations: function (integrations) {
    // integrations will be all default integrations
    return integrations.filter(function (integration) {
      return integration.name !== "ContextLines";
    });
  },
});

If you disable the ContextLines integration, you will lose source context on your error events.

References

  • Reported issue: https://github.com/getsentry/sentry-javascript/issues/14892
  • PR Fix: https://github.com/getsentry/sentry-javascript/pull/14997
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-774"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-28T20:37:26Z"
}
References

Affected packages

npm / @sentry/node

Package

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/astro

Package

Name
@sentry/astro
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/astro

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/aws-serverless

Package

Name
@sentry/aws-serverless
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/aws-serverless

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/bun

Package

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/google-cloud-serverless

Package

Name
@sentry/google-cloud-serverless
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/google-cloud-serverless

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/nestjs

Package

Name
@sentry/nestjs
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/nestjs

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/nextjs

Package

Name
@sentry/nextjs
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/nextjs

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/nuxt

Package

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/remix

Package

Name
@sentry/remix
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/remix

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/solidstart

Package

Name
@sentry/solidstart
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/solidstart

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0

npm / @sentry/sveltekit

Package

Name
@sentry/sveltekit
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/sveltekit

Affected ranges

Type
SEMVER
Events
Introduced
8.10.0
Fixed
8.49.0