Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NWZjLWdqM2gtMjZyeM4AA9wS
speaker vulnerable to Denial of Service
All versions of the package speaker are vulnerable to Denial of Service (DoS) when providing unexpected input types to the channels property of the Speaker object makes it possible to reach an assert macro. Exploiting this vulnerability can lead to a process crash.
Permalink: https://github.com/advisories/GHSA-w5fc-gj3h-26rxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NWZjLWdqM2gtMjZyeM4AA9wS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-w5fc-gj3h-26rx, CVE-2024-21526
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21526
- https://security.snyk.io/vuln/SNYK-JS-SPEAKER-6370676
- https://github.com/TooTallNate/node-speaker/blob/316afff5a393fce438cf7296011fcfc6e12aa9dc/src/binding.c#L48
- https://github.com/advisories/GHSA-w5fc-gj3h-26rx
Blast Radius: 21.8
Affected Packages
npm:speaker
Dependent packages: 227Dependent repositories: 803
Downloads: 18,348 last month
Affected Version Ranges: <= 0.5.5
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5