Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVyd2otajVtMy0zY2hq
Missing Release of Memory after Effective Lifetime in detect-character-encoding
Impact
In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.
Patches
The problem has been patched in detect-character-encoding v0.3.1.
CVSS score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C
Base Score: 7.5 (High)
Temporal Score: 7.2 (High)
Since detect-character-encoding is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerability’s severity in your program may be different.
Proof of concept
const express = require("express");
const detectCharacterEncoding = require("detect-character-encoding");
const app = express();
app.get("/", (req, res) => {
detectCharacterEncoding(Buffer.from("foo"));
res.end();
});
app.listen(3000);
hey -n 1000000 http://localhost:3000 (hey) causes the Node.js process to consume more and more memory.
References
- https://github.com/sonicdoe/detect-character-encoding/commit/d44356927b92e3b13e178071bf6d7c671766f588
- https://github.com/sonicdoe/detect-character-encoding/pull/6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVyd2otajVtMy0zY2hq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-5rwj-j5m3-3chj, CVE-2021-39176
References:
- https://github.com/sonicdoe/detect-character-encoding/security/advisories/GHSA-5rwj-j5m3-3chj
- https://github.com/sonicdoe/detect-character-encoding/pull/6
- https://github.com/sonicdoe/detect-character-encoding/commit/d44356927b92e3b13e178071bf6d7c671766f588
- https://github.com/sonicdoe/detect-character-encoding/releases/tag/v0.3.1
- https://nvd.nist.gov/vuln/detail/CVE-2021-39176
- https://github.com/advisories/GHSA-5rwj-j5m3-3chj
Blast Radius: 14.0
Affected Packages
npm:detect-character-encoding
Dependent packages: 35Dependent repositories: 73
Downloads: 14,125 last month
Affected Version Ranges: < 0.3.1
Fixed in: 0.3.1
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0
All unaffected versions: 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.9.0