Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12anB2LXg4cDktN3A4Nc4AA9wM
images vulnerable to Denial of Service
All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash.
Note:
By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12anB2LXg4cDktN3A4Nc4AA9wM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: about 1 month ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-vjpv-x8p9-7p85, CVE-2024-21523
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21523
- https://gist.github.com/dellalibera/8b4ea6b4db84cba212e6e6e39a6933d1
- https://github.com/zhangyuanwei/node-images/blob/691d49f4e620b4eec9f1c47b1735841d9d8b55f6/src/Image.cc
- https://security.snyk.io/vuln/SNYK-JS-IMAGES-6421826
- https://github.com/advisories/GHSA-vjpv-x8p9-7p85
Blast Radius: 20.4
Affected Packages
npm:images
Dependent packages: 222Dependent repositories: 520
Downloads: 31,563 last month
Affected Version Ranges: <= 3.2.4
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.2.0, 2.2.1, 3.0.0, 3.0.1, 3.0.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4