Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04NmZjLWY5Z3ItdjUzM84AA5xc

HTTP Handling Vulnerability in the Bare server

Impact

This vulnerability relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use.

Patches

Yes, the problem has been patched. We advise all users to upgrade to version @tomphttp/[email protected] as soon as possible.

Workarounds

Given the nature of the vulnerability, the most effective solution is to upgrade to the patched version of the package. Specific workaround strategies will be disclosed later due to security considerations.

References

Further information about this vulnerability will be provided at a later date to provide users with an opportunity to upgrade to a patched version and to prevent potential exploitation of the vulnerability. Users are advised to follow the repository announcements and updates.

Permalink: https://github.com/advisories/GHSA-86fc-f9gr-v533
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NmZjLWY5Z3ItdjUzM84AA5xc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 months ago
Updated: about 1 month ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-86fc-f9gr-v533, CVE-2024-27922
References: Repository: https://github.com/tomphttp/bare-server-node
Blast Radius: 26.2

Affected Packages

npm:@tomphttp/bare-server-node
Dependent packages: 3
Dependent repositories: 467
Downloads: 41,715 last month
Affected Version Ranges: < 2.0.2
Fixed in: 2.0.2
All affected versions: 1.0.3, 1.0.4, 1.1.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 2.0.0, 2.0.1
All unaffected versions: 2.0.2, 2.0.3