Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc3NHItZmZ2ci01cTlm
Memory Exposure in concat-stream
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Recommendation
Update to version 1.5.2, 1.4.11, 1.3.2 or later.
If you are unable to update make sure user provided input into the write() function is not a number.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc3NHItZmZ2ci01cTlm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
Identifiers: GHSA-g74r-ffvr-5q9f
References:
- https://github.com/maxogden/concat-stream/pull/47
- https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
- https://gist.github.com/ChALkeR/c2d2fd3f1d72d51ad883df195be03a85
- https://www.npmjs.com/advisories/597
- https://github.com/advisories/GHSA-g74r-ffvr-5q9f
Blast Radius: 0.0
Affected Packages
npm:concat-stream
Dependent packages: 4,740Dependent repositories: 1,049,268
Downloads: 92,018,863 last month
Affected Version Ranges: >= 1.3.0, < 1.3.2, >= 1.4.0, < 1.4.11, >= 1.5.0, < 1.5.2
Fixed in: 1.3.2, 1.4.11, 1.5.2
All affected versions: 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.10, 1.5.0, 1.5.1
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.2, 1.4.11, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 2.0.0