Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg2d2YtNDM2bS1oNDI0
Resource Exhaustion Denial of Service in http-proxy-agent
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Permalink: https://github.com/advisories/GHSA-86wf-436m-h424JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg2d2YtNDM2bS1oNDI0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 4 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-86wf-436m-h424, CVE-2019-10196
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10196
- https://github.com/TooTallNate/node-http-proxy-agent/commit/b7b7cc793c3226aa83f820ce5c277e81862d32eb
- https://bugzilla.redhat.com/show_bug.cgi?id=1567245
- https://www.npmjs.com/advisories/607
- https://github.com/advisories/GHSA-86wf-436m-h424
Affected Packages
npm:http-proxy-agent
Versions: < 2.1.0Fixed in: 2.1.0