Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3NTctamZwbS05NDVt
Denial of Service in http-proxy-agent
Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer. An attacker may leverage these unsanitized options to consume system resources.
Recommendation
Update to version 2.1.0 or later.
Permalink: https://github.com/advisories/GHSA-8w57-jfpm-945mJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3NTctamZwbS05NDVt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: about 1 year ago
Identifiers: GHSA-8w57-jfpm-945m
References:
- https://hackerone.com/reports/321631
- https://github.com/TooTallNate/node-http-proxy-agent/blob/2.0.0/index.js#L80
- https://www.npmjs.com/advisories/607
- https://github.com/advisories/GHSA-8w57-jfpm-945m
Blast Radius: 0.0
Affected Packages
npm:http-proxy-agent
Dependent packages: 1,185Dependent repositories: 1,460,327
Downloads: 192,156,686 last month
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 1.0.0, 2.0.0
All unaffected versions: 2.1.0, 3.0.0, 4.0.0, 4.0.1, 5.0.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2