Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg2d2YtNDM2bS1oNDI0
Resource Exhaustion Denial of Service in http-proxy-agent
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
Permalink: https://github.com/advisories/GHSA-86wf-436m-h424JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg2d2YtNDM2bS1oNDI0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-86wf-436m-h424, CVE-2019-10196
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10196
- https://github.com/TooTallNate/node-http-proxy-agent/commit/b7b7cc793c3226aa83f820ce5c277e81862d32eb
- https://bugzilla.redhat.com/show_bug.cgi?id=1567245
- https://www.npmjs.com/advisories/607
- https://github.com/advisories/GHSA-86wf-436m-h424
Blast Radius: 60.4
Affected Packages
npm:http-proxy-agent
Dependent packages: 1,185Dependent repositories: 1,460,327
Downloads: 190,547,510 last month
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 1.0.0, 2.0.0
All unaffected versions: 2.1.0, 3.0.0, 4.0.0, 4.0.1, 5.0.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2