Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNwd2gtNW1tYy1td3J4
Denial of Service in nes
Affected versions of nes are vulnerable to denial of service when given an invalid cookie header, and websocket authentication is set to cookie. Submitting an invalid cookie on the websocket upgrade request will cause the node process to throw and exit.
Recommendation
Update to version 6.4.1 or later.
Permalink: https://github.com/advisories/GHSA-3pwh-5mmc-mwrxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNwd2gtNW1tYy1td3J4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: over 1 year ago
Identifiers: GHSA-3pwh-5mmc-mwrx, CVE-2017-16025
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16025
- https://github.com/hapijs/nes/issues/171
- https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655
- https://github.com/advisories/GHSA-3pwh-5mmc-mwrx
- https://www.npmjs.com/advisories/331
Blast Radius: 0.0
Affected Packages
npm:nes
Dependent packages: 56Dependent repositories: 131
Downloads: 3,272 last month
Affected Version Ranges: <= 6.4.0
Fixed in: 6.4.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.3.0, 6.3.1, 6.3.2, 6.4.0
All unaffected versions: 6.4.1, 6.4.2, 6.4.3, 6.5.1, 6.5.2, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.2.0, 8.0.0, 8.0.1, 8.1.0, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 10.0.0, 10.0.1, 10.0.2