Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3ZzQtMzZqcC01djNt
Remote Memory Disclosure in bittorrent-dht
Versions of bittorrent-dht prior to 5.1.3 are affected by a remote memory disclosure vulnerability. This vulnerability allows an attacker to send a specific series of of messages to a listening peer and get it to reveal internal memory.
There are two mitigating factors here, that slightly reduce the impact of this vulnerability:
- Any modern kernel will zero out new memory pages before handing them off to a process. This means that only memory previously used and deallocated by the node process can be leaked.
- Node.js manages Buffers by creating a few large internal SlowBuffers, and slicing them up into smaller Buffers which are made accessible in JS. They are not stored on V8's heap, because garbage collection would interfere. The result is that only memory that has been previously allocated as a Buffer can be leaked.
Recommendation
Update to version 5.1.3 or later.
Permalink: https://github.com/advisories/GHSA-77g4-36jp-5v3mJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3ZzQtMzZqcC01djNt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
EPSS Percentage: 0.00151
EPSS Percentile: 0.5169
Identifiers: GHSA-77g4-36jp-5v3m, CVE-2016-10519
References:
- https://github.com/feross/bittorrent-dht/issues/87
- https://www.npmjs.com/advisories/68
- https://nvd.nist.gov/vuln/detail/CVE-2016-10519
- https://github.com/advisories/GHSA-77g4-36jp-5v3m
Blast Radius: 0.0
Affected Packages
npm:bittorrent-dht
Dependent packages: 64Dependent repositories: 1,293
Downloads: 38,910 last month
Affected Version Ranges: < 5.1.3
Fixed in: 5.1.3
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 5.0.0, 5.1.0, 5.1.1, 5.1.2
All unaffected versions: 5.1.3, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.2.1, 7.2.2, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.6.0, 7.7.0, 7.8.0, 7.8.1, 7.8.2, 7.9.0, 7.10.0, 8.0.0, 8.0.1, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.4.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9