Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtdnEteHA0OC00Yzc3
Denial of Service in subtext
All versions of subtext are vulnerable to Denial of Service (DoS). The package fails to enforce the maxBytes configuration for payloads with chunked encoding that are written to the file system. This allows attackers to send requests with arbitrary payload sizes, which may exhaust system resources leading to Denial of Service.
Recommendation
This package is not actively maintained and has been moved to @hapi/subtext where version 6.1.2.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtdnEteHA0OC00Yzc3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
Identifiers: GHSA-2mvq-xp48-4c77
References:
- https://github.com/hapijs/subtext/issues/72
- https://www.npmjs.com/advisories/1168
- https://github.com/advisories/GHSA-2mvq-xp48-4c77
Blast Radius: 0.0
Affected Packages
npm:subtext
Dependent packages: 16Dependent repositories: 10,764
Downloads: 124,890 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.0.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.0.2, 3.0.0, 3.0.1, 3.0.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.4.1, 5.0.0, 5.0.1, 5.1.3, 6.0.0, 6.0.1, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12