Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg2d2YtNDM2bS1oNDI0

Resource Exhaustion Denial of Service in http-proxy-agent

A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.

Permalink: https://github.com/advisories/GHSA-86wf-436m-h424
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg2d2YtNDM2bS1oNDI0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-86wf-436m-h424, CVE-2019-10196
References: Repository: https://github.com/TooTallNate/node-http-proxy-agent
Blast Radius: 60.4

Affected Packages

npm:http-proxy-agent
Dependent packages: 1,185
Dependent repositories: 1,460,327
Downloads: 201,956,706 last month
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 1.0.0, 2.0.0
All unaffected versions: 2.1.0, 3.0.0, 4.0.0, 4.0.1, 5.0.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2