Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI3d3EtcXgzcS1meG05
Improper Handling of Unexpected Data Type in ced
Impact
In ced v0.1.0, passing data types other than Buffer causes the Node.js process to crash.
Patches
The problem has been patched in ced v1.0.0. You can upgrade from v0.1.0 without any breaking changes.
Workarounds
Before passing an argument to ced, verify it’s a Buffer using Buffer.isBuffer(obj).
CVSS score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C
Base Score: 7.5 (High)
Temporal Score: 7.2 (High)
Since ced is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerability’s severity in your program may be different.
Proof of concept
const express = require("express");
const bodyParser = require("body-parser");
const ced = require("ced");
const app = express();
app.use(bodyParser.raw());
app.post("/", (req, res) => {
const encoding = ced(req.body);
res.end(encoding);
});
app.listen(3000);
curl --request POST --header "Content-Type: text/plain" --data foo http://localhost:3000 crashes the server.
References
Permalink: https://github.com/advisories/GHSA-27wq-qx3q-fxm9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI3d3EtcXgzcS1meG05
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-27wq-qx3q-fxm9, CVE-2021-39131
References:
- https://github.com/sonicdoe/ced/security/advisories/GHSA-27wq-qx3q-fxm9
- https://nvd.nist.gov/vuln/detail/CVE-2021-39131
- https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3
- https://github.com/sonicdoe/ced/releases/tag/v1.0.0
- https://github.com/advisories/GHSA-27wq-qx3q-fxm9
Blast Radius: 10.1
Affected Packages
npm:ced
Dependent packages: 4Dependent repositories: 22
Downloads: 15,042 last month
Affected Version Ranges: < 1.0.0
Fixed in: 1.0.0
All affected versions: 0.1.0
All unaffected versions: 1.0.0, 2.0.0