Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mNngtN21tNC14Mmc3
Out-of-bounds Read in stringstream
All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.
Recommendation
No fix is currently available for this vulnerability. It is our recommendation to not install or use this module if user input is being passed in to stringstream.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mNngtN21tNC14Mmc3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
Identifiers: GHSA-mf6x-7mm4-x2g7, CVE-2018-21270
References:
- https://hackerone.com/reports/321670
- https://github.com/mhart/StringStream/blob/v0.0.5/stringstream.js#L32
- https://www.npmjs.com/advisories/664
- https://github.com/advisories/GHSA-mf6x-7mm4-x2g7
Blast Radius: 0.0
Affected Packages
npm:stringstream
Dependent packages: 166Dependent repositories: 576,970
Downloads: 3,386,368 last month
Affected Version Ranges: < 0.0.6
Fixed in: 0.0.6
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5
All unaffected versions: 0.0.6, 1.0.0