Vulnerabilities

 368 via 613 paths

Dependencies

 2176

Source

 GitHub

Commit

 b5bf44fd

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 368
  • 8
Severity
  • 23
  • 241
  • 103
  • 9
Status
  • 376
  • 0
  • 0

critical severity

Prototype Pollution

  • Vulnerable module: deep-defaults
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 deep-defaults@1.0.5

Overview

deep-defaults is a Recursive version of _.defaults

Affected versions of this package are vulnerable to Prototype Pollution due to the _deepDefaults function. An attacker can cause a denial of service and may lead to remote code execution by supplying a malicious value that includes the __proto__ property, leading to the pollution of the Object prototype. This flaw allows for the creation of non-existent properties or manipulation of existing ones, which can disrupt service or potentially allow for arbitrary code execution.

PoC

var deepDefaults = require("deep-defaults")
var malicious_payload = '{"__proto__":{"polluted":"Yes! Its Polluted"}}';
var obj ={};
console.log("Before : " + {}.polluted);
deepDefaults(obj, JSON.parse(malicious_payload));
console.log("After : " + {}.polluted);

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

There is no fixed version for deep-defaults.

References

Prototype Pollution vulnerability report

critical severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation via Mojo. If the endpoint's task runner does not match the current task runner (or an equivalent main-thread task runner for the ChannelProxy) when executing a message dispatch task for that endpoint, it dispatches it on the wrong sequence.

Remediation

Upgrade electron to version 13.6.8, 14.2.4, 15.3.5 or higher.

References

Improper Input Validation vulnerability report

critical severity

Out-of-bounds

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds via the V8 component in Chrome.

Remediation

Upgrade electron to version 11.4.4, 10.4.4, 12.0.6 or higher.

References

Out-of-bounds vulnerability report

critical severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via ANGLE in Chrome.

Remediation

Upgrade electron to version 12.0.13, 11.4.10 or higher.

References

Out-of-bounds Write vulnerability report

critical severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via the V8 module in Chromium.

Remediation

Upgrade electron to version 14.2.1, 13.6.2, 12.2.3 or higher.

References

Type Confusion vulnerability report

critical severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8 Turbofan, exploiting this vulnerability is possible via a crafted HTML page.

Remediation

Upgrade electron to version 15.5.3, 16.2.4, 17.4.2 or higher.

References

Type Confusion vulnerability report

critical severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. An unknown vunerability exists in Chrome.

Remediation

Upgrade electron to version 9.4.1, 10.3.2 or higher.

References

Use After Free vulnerability report

critical severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via handling of cookies.

Remediation

Upgrade electron to version 9.4.2, 10.3.1, 11.2.2 or higher.

References

Use After Free vulnerability report

critical severity

Remote Code Execution (RCE)

  • Vulnerable module: vm2
  • Introduced through: vm2@3.9.19 and vm2-process@2.1.5

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d vm2@3.9.19
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d vm2-process@2.1.5 vm2@3.9.19

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient checks which allow an attacker to escape the sandbox.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

Remediation

There is no fixed version for vm2.

References

Remote Code Execution (RCE) vulnerability report

critical severity

Remote Code Execution (RCE)

  • Vulnerable module: vm2
  • Introduced through: vm2@3.9.19 and vm2-process@2.1.5

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d vm2@3.9.19
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d vm2-process@2.1.5 vm2@3.9.19

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that the Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

Remediation

There is no fixed version for vm2.

References

Remote Code Execution (RCE) vulnerability report

critical severity

Improper Input Validation

  • Vulnerable module: xmldom
  • Introduced through: pragmatismo-io-framework@1.1.1, botlib@5.0.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 xmldom@0.6.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 xmldom@0.6.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d open-docxtemplater-image-module@1.0.3 xmldom@0.1.31
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 xmldom@0.1.27

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Improper Input Validation due to parsing XML that is not well-formed, and contains multiple top-level elements. All the root nodes are being added to the childNodes collection of the Document, without reporting or throwing any error.

Workarounds

One of the following approaches might help, depending on your use case:

  1. Instead of searching for elements in the whole DOM, only search in the documentElement.

  2. Reject a document with a document that has more than 1 childNode.

PoC

var DOMParser = require('xmldom').DOMParser;
var xmlData = '<?xml version="1.0" encoding="UTF-8"?>\n' +
'<root>\n' +
'  <branch girth="large">\n' +
'    <leaf color="green" />\n' +
'  </branch>\n' +
'</root>\n' +
'<root>\n' +
'  <branch girth="twig">\n' +
'    <leaf color="gold" />\n' +
'  </branch>\n' +
'</root>\n';
var xmlDOM = new DOMParser().parseFromString(xmlData);
console.log(xmlDOM.toString());

This will result with the following output:

<?xml version="1.0" encoding="UTF-8"?><root>
  <branch girth="large">
    <leaf color="green"/>
  </branch>
</root>
<root>
  <branch girth="twig">
    <leaf color="gold"/>
  </branch>
</root>

Remediation

There is no fixed version for xmldom.

References

Improper Input Validation vulnerability report

critical severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion due to a flaw in the WebAssembly component. An attacker can execute arbitrary code on the victim's machine by convincing them to visit a maliciously crafted HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

Type Confusion vulnerability report

critical severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Mojo interface. An attacker can potentially exploit heap corruption by delivering a crafted HTML page.

Remediation

Upgrade electron to version 27.3.3 or higher.

References

Use After Free vulnerability report

critical severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper handling of objects in memory in the ANGLE graphics engine. An attacker can cause heap corruption and potentially execute arbitrary code by convincing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

Use After Free vulnerability report

critical severity

Heap-based Buffer Overflow

  • Vulnerable module: webp-converter
  • Introduced through: webp-converter@2.3.3

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d webp-converter@2.3.3

Overview

Affected versions of this package are vulnerable to Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used. An attacker can craft a special WebP lossless file that triggers the ReadHuffmanCodes() function to allocate the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

Notes:

This is only exploitable if the color_cache_bits value defines which size to use.

This vulnerability was also published on libwebp CVE-2023-5129

Changelog:

2023-09-12: Initial advisory publication

2023-09-27: Advisory details updated, including CVSS, references

2023-09-27: CVE-2023-5129 rejected as a duplicate of CVE-2023-4863

2023-09-28: Research and addition of additional affected libraries

2024-01-28: Additional fix information

Remediation

There is no fixed version for webp-converter.

References

Heap-based Buffer Overflow vulnerability report

critical severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@37.2.5.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the lack of limitation on max inlining ids in MaglevGraphBuilder. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.5 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

critical severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read via a crafted HTML page. An attacker can potentially perform a sandbox escape by manipulating the memory outside its intended buffer limits.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Out-of-bounds Read vulnerability report

critical severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via crafted HTML content. This can be exploited to escape the v8 sandbox and execute arbitrary code on the operating system.

Remediation

Upgrade electron to version 31.7.1, 32.2.1 or higher.

References

Type Confusion vulnerability report

critical severity

Predictable Value Range from Previous Values

  • Vulnerable module: form-data
  • Introduced through: instagram-private-api@1.46.1, ms-rest-azure@3.0.2 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d instagram-private-api@1.46.1 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d nexmo@2.9.1 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 ms-rest@2.5.6 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d get-image-colors@4.0.1 get-pixels@3.3.3 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 azure-cognitiveservices-textanalytics@2.0.0 ms-rest@2.5.6 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 ms-rest@2.5.6 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 azure-cognitiveservices-textanalytics@2.0.0 ms-rest@2.5.6 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 ms-rest@2.5.6 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8 electron-download@3.3.0 nugget@2.2.0 request@2.88.2 form-data@2.3.3
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ibm-watson@9.1.0 ibm-cloud-sdk-core@4.3.4 form-data@4.0.0
    Remediation: Upgrade to ibm-watson@10.0.0.

Overview

Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the boundary value, which uses Math.random(). An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.

Remediation

Upgrade form-data to version 2.5.4, 3.0.4, 4.0.4 or higher.

References

Predictable Value Range from Previous Values vulnerability report

critical severity

Improper Verification of Cryptographic Signature

  • Vulnerable module: elliptic
  • Introduced through: botframework-connector@4.23.0, botbuilder@4.23.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 browserify-sign@4.2.3 elliptic@6.6.1
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 crypto-browserify@3.12.1 create-ecdh@4.0.4 elliptic@6.6.1

Overview

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to an anomaly in the _truncateToN function. An attacker can cause legitimate transactions or communications to be incorrectly flagged as invalid by exploiting the signature verification process when the hash contains at least four leading 0 bytes, and the order of the elliptic curve's base point is smaller than the hash.

In some situations, a private key exposure is possible. This can happen when an attacker knows a faulty and the corresponding correct signature for the same message.

Note: Although the vector for exploitation of this vulnerability was restricted with the release of versions 6.6.0 and 6.6.1, it remains possible to generate invalid signatures in some cases in those releases as well.

PoC

var elliptic = require('elliptic'); // tested with version 6.5.7
var hash = require('hash.js');
var BN = require('bn.js');
var toArray = elliptic.utils.toArray;

var ec = new elliptic.ec('p192');
var msg = '343236343739373234';
var sig = '303502186f20676c0d04fc40ea55d5702f798355787363a91e97a7e50219009d1c8c171b2b02e7d791c204c17cea4cf556a2034288885b';
// Same public key just in different formats
var pk = '04cd35a0b18eeb8fcd87ff019780012828745f046e785deba28150de1be6cb4376523006beff30ff09b4049125ced29723';
var pkPem = '-----BEGIN PUBLIC KEY-----\nMEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEzTWgsY7rj82H/wGXgAEoKHRfBG54\nXeuigVDeG+bLQ3ZSMAa+/zD/CbQEkSXO0pcj\n-----END PUBLIC KEY-----\n';

// Create hash
var hashArray = hash.sha256().update(toArray(msg, 'hex')).digest();
// Convert array to string (just for showcase of the leading zeros)
var hashStr = Array.from(hashArray, function(byte) {
  return ('0' + (byte & 0xFF).toString(16)).slice(-2);
}).join('');
var hMsg = new BN(hashArray, 'hex');
// Hashed message contains 4 leading zeros bytes
console.log('sha256 hash(str): ' + hashStr);
// Due to using BN bitLength lib it does not calculate the bit length correctly (should be 32 since it is a sha256 hash)
console.log('Byte len of sha256 hash: ' + hMsg.byteLength());
console.log('sha256 hash(BN): ' + hMsg.toString(16));

// Due to the shift of the message to be within the order of the curve the delta computation is invalid
var pubKey = ec.keyFromPublic(toArray(pk, 'hex'));
console.log('Valid signature: ' + pubKey.verify(hashStr, sig));

// You can check that this hash should validate by consolidating openssl
const fs = require('fs');
fs.writeFile('msg.bin', new BN(msg, 16).toBuffer(), (err) => {
  if (err) throw err;
});
fs.writeFile('sig.bin', new BN(sig, 16).toBuffer(), (err) => {
  if (err) throw err;
});
fs.writeFile('cert.pem', pkPem, (err) => {
  if (err) throw err;
});

// To verify the correctness of the message signature and key one can run:
// openssl dgst -sha256 -verify cert.pem -signature sig.bin msg.bin
// Or run this python script
/*
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec


msg = '343236343739373234'
sig = '303502186f20676c0d04fc40ea55d5702f798355787363a91e97a7e50219009d1c8c171b2b02e7d791c204c17cea4cf556a2034288885b'
pk = '04cd35a0b18eeb8fcd87ff019780012828745f046e785deba28150de1be6cb4376523006beff30ff09b4049125ced29723'

p192 = ec.SECP192R1()
pk = ec.EllipticCurvePublicKey.from_encoded_point(p192, bytes.fromhex(pk))
pk.verify(bytes.fromhex(sig), bytes.fromhex(msg), ec.ECDSA(hashes.SHA256()))
*/

Remediation

There is no fixed version for elliptic.

References

Improper Verification of Cryptographic Signature vulnerability report

critical severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in V8.

Remediation

Upgrade electron to version 32.3.0, 33.3.2 or higher.

References

Out-of-bounds Write vulnerability report

critical severity

Out-of-Bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds Write via the V8 engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Out-of-Bounds Write vulnerability report

critical severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: koa
  • Introduced through: koa@2.15.3

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d koa@2.15.3
    Remediation: Upgrade to koa@2.15.4.

Overview

koa is a Koa web app framework

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsing of X-Forwarded-Proto and X-Forwarded-Host HTTP headers.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade koa to version 0.21.2, 1.7.1, 2.15.4, 3.0.0-alpha.3 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion'). Type confusion in V8 in Google Chrome allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.12, 11.4.9 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

high severity

Access Restriction Bypass

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access Restriction Bypass in Blink.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

Access Restriction Bypass vulnerability report

high severity

Heap Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap Buffer Overflow via WebAudio.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

Heap Buffer Overflow vulnerability report

high severity

Heap Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap Overflow. A Heap buffer overflow exists in the media component of Google Chrome, which also affects chromium.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.1 or higher.

References

Heap Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow. A heap buffer overflow flaw was found in the UI component of the Chromium browser.

Remediation

Upgrade electron to version 9.4.0, 10.2.0 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the WebRTC module in Chromium.

Remediation

Upgrade electron to version 14.2.0, 13.5.2, 12.2.3 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE component.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via a crafted HTML page. An attacker can potentially exploit heap corruption by deceiving a user to visit a malicious web page.

Remediation

Upgrade electron to version 27.3.3 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE component. An attacker can potentially exploit heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the WebRTC component. An attacker can cause heap corruption and potentially execute arbitrary code by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3, 30.1.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Improper Access Control

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control. An insufficient policy enforcement flaw was found in the networking component of chromium.

Remediation

Upgrade electron to version 9.4.0, 10.1.7 or higher.

References

Improper Access Control vulnerability report

high severity

Improper Access Control

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control. It has an inappropriate implementation in V8.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.1 or higher.

References

Improper Access Control vulnerability report

high severity

Improper Access Control

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.2.3.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control due to an inappropriate implementation in Extensions. An attacker can bypass site isolation.

Remediation

Upgrade electron to version 31.7.4, 32.2.3 or higher.

References

Improper Access Control vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation. An insufficient data validation flaw was found in the WASM component of the Chromium browser.

Remediation

Upgrade electron to version 9.4.0, 10.1.7 or higher.

References

Improper Input Validation vulnerability report

high severity

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer due to an inappropriate implementation in the V8 engine. An attacker can potentially perform out of bounds memory access by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.3.0 or higher.

References

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability report

high severity

Integer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow via Chromium in Mojo.

Remediation

Upgrade electron to version 10.4.4 or higher.

References

Integer Overflow vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the Mojo component of chromium.

Remediation

Upgrade electron to version 10.4.4, 12.0.6 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to handle reuse in Mojo.

Remediation

Upgrade electron to version 14.2.7, 15.4.0 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

Interger Underflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Interger Underflow in ANGLE. A remote attacker could potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 14.2.5, 15.3.6 or higher.

References

Interger Underflow vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds. Object lifecycle issue in audio.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

Out-of-Bounds vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read allowing a remote attacker to exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.7 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the V8 engine. An attacker can access memory locations outside of the intended boundary by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read via a crafted HTML page. An attacker can access memory locations outside the intended boundary by crafting a malicious HTML page that triggers the flaw.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the Metrics process.

Remediation

Upgrade electron to version 32.3.0, 33.3.2 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a data race in the audio component. A remote attacker could potentially exploit heap corruption using a crafted HTML page.

Remediation

Upgrade electron to version 10.4.1, 11.4.1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-Bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds Write through the Streams API. An attacker can execute arbitrary code within a sandboxed environment by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Out-of-Bounds Write vulnerability report

high severity

Privilege Context Switching Error

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Privilege Context Switching Error in libuv's handling of io_uring operations called before calling setuid(). This allows users to elevate privileges.

PoC

const { spawn } = require('node:child_process');
const process = require('process');

process.env['UV_USE_IO_URING']=1;

process.setuid(400);
const ls = spawn('cmd.exe', [' whoami']);

ls.stdout.on('data', (data) => {
    console.log(`stdout: ${data}`);
  });
  
ls.stderr.on('data', (data) => {
    console.error(`stderr: ${data}`);
  });
  
ls.on('close', (code) => {
    console.log(`child process exited with code ${code}`);
  });

console.log("The user identity of the Node.js" + " process:", process.getuid());

Remediation

Upgrade electron to version 29.4.0 or higher.

References

Privilege Context Switching Error vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8 via Chrome.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via Blink layout in Chrome.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8. This allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.3, 14.2.2, 15.3.3 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in loader in Google Chrome. This can lead to heap corruption which is exploited through a crafted HTML page.

Remediation

Upgrade electron to version 13.6.6, 14.2.4, 15.3.5 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8 in Google Chrome allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.8, 14.2.5, 15.3.6 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 17.4.11, 18.3.6 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 19.1.5, 20.3.5 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 7.3.1 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion due to the V8 process. An attacker can potentially perform arbitrary read/write by exploiting a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Type Confusion vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the site isolation.

Remediation

Upgrade electron to version 8.5.4, 9.3.5, 10.1.6 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. A use after free flaw was found in the PPAPI component of the Chromium browser.

Remediation

Upgrade electron to version 9.4.0, 10.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Media.

Remediation

Upgrade electron to version 11.2.1, 9.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. It hands sub-queries with both a correlated WHERE clause and a HAVING 0 clause where the parent query is itself an aggregate.

Remediation

Upgrade electron to version 11.2.1, 9.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. When a LayoutInline is removed, LineBoxList::DirtyLinesFromChangedChild tries to mark affected RootInlineBox dirty.

When the |LayoutInline| to be removed is culled, it tries to find the RootInlineBox from its previous siblings, then look for its previous and next RootInlineBoxes.

Occasionally, the next next line of the previous sibling is wrapped at the LayoutInline, and that its LineBreakObj() holds the reference to the LayoutInline. This patch marks such RootInlineBox dirty.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. It allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 10.4.2, 11.4.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via a vulnerability that exists in Blink in Chromium. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Remediation

Upgrade electron to version 11.4.4, 10.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via Chrome which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.5, 11.4.4, 10.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via chromium which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.5, 11.4.4, 10.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via Aura in Google Chrome which allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.5, 11.4.4, 10.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Navigation component of chromium.

Remediation

Upgrade electron to version 10.4.4, 11.4.4, 12.0.6 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the chromium extensions resource.

Remediation

Upgrade electron to version 11.4.4, 10.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in File API.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Notifications.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. Use after free in Loader in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.12, 11.4.9 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in BFCache in Google Chrome, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 12.0.13, 11.4.9 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebGL.

Remediation

Upgrade electron to version 12.0.13, 11.4.10 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC.

Remediation

Upgrade electron to version 12.0.14, 11.4.10 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebAudio.

Remediation

Upgrade electron to version 12.0.14, 11.4.10 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Blink XSLT.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSerial via Chrome.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in V8 via Chrome.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in GPU.

Remediation

Upgrade electron to version 13.1.8, 12.0.16, 11.4.11 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Autofill.

Remediation

Upgrade electron to version 12.0.16, 11.4.11 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Indexed DB API.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Chromium FileReader.

Note: This vulnerability affects all software based on Chromium, including Electron.

Remediation

Upgrade electron to version 2.0.18, 3.0.16, 3.1.6, 4.0.8 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 14.1.1, 13.5.2, 12.2.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the file system API, through a heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 14.1.1, 13.5.2, 12.2.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Garbage Collection module in Chromium.

Remediation

Upgrade electron to version 14.2.1, 13.6.2, 12.2.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Transport module in Chromium.

Remediation

Upgrade electron to version 14.2.1, 13.6.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in loader in Google Chrome. This allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.3, 14.2.2, 15.3.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the storage foundation, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page

Remediation

Upgrade electron to version 16.0.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in media in Google Chrome which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 15.3.5 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via file API in Google Chrome prior to 96.0.4664.93. It allows a remote attacker who have compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.6, 14.2.4, 15.3.5 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free on context loss.

Remediation

Upgrade electron to version 14.2.7, 15.4.0, 16.0.10 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free when the source framebuffer's extents were accidentally used instead of the blit area extents.

Remediation

Upgrade electron to version 14.2.7, 15.4.0, 16.0.10 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the BFCache, due to the attempts to cache an interstitial which results in a crash.

Remediation

Upgrade electron to version 16.2.4, 17.4.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in regular expressions (V8).

Remediation

Upgrade electron to version 15.5.3, 16.2.4, 17.4.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Angle, when pausing XFB then deleting a buffer.

Remediation

Upgrade electron to version 15.5.4, 16.2.6, 17.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Vulkan.

Remediation

Upgrade electron to version 15.5.6, 16.2.6, 17.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in File System API.

Remediation

Upgrade electron to version 16.2.6, 17.4.3, 18.2.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in SwiftShader.

Remediation

Upgrade electron to version 15.5.4, 16.2.5, 17.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper cache state validation after the XFB buffer was deleted.

Remediation

Upgrade electron to version 15.5.6, 16.2.7, 17.4.5 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Angle.

Remediation

Upgrade electron to version 17.4.8, 18.3.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free when glBufferData redefines a buffer and the new buffer is smaller than the old buffer.

Remediation

Upgrade electron to version 18.3.11, 19.0.15 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Blink, when a DisplayLock is unlocked via ForceUnlockIfNeeded.

Remediation

Upgrade electron to version 18.3.11 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in SwiftShader.

Remediation

Upgrade electron to version 19.0.15 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSQL

Remediation

Upgrade electron to version 18.3.14, 20.1.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebSQL.

Remediation

Upgrade electron to version 18.3.12, 19.0.16, 20.1.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Layout.

Remediation

Upgrade electron to version 19.1.0, 18.3.14 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Network Service

Remediation

Upgrade electron to version 20.1.2, 19.1.0, 18.3.12 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Frames, via a crafted HTML page.

Remediation

Upgrade electron to version 18.3.14, 19.1.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Layout.

Remediation

Upgrade electron to version 19.1.5, 20.3.5 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebCodecs, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Workers, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Mojo, via heap corruption.

Remediation

Upgrade electron to version 20.3.9, 21.4.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC, causing heap corruption.

Remediation

Upgrade electron to version 20.3.12, 21.4.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. Multiple user after free vulnerabilities exists in the WebAudio component of chromium.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. It allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the audio component. It allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the audio component.

Remediation

Upgrade electron to version 8.2.1, 7.2.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. It allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in WebRTC.

Remediation

Upgrade electron to version 8.3.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebAudio component. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Web Audio feature. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.8, 27.3.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of objects in memory in the Dawn component. An attacker can potentially exploit heap corruption through a crafted HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper handling in the WebCodecs component. An attacker can achieve arbitrary read/write access by crafting a malicious HTML page.

Remediation

Upgrade electron to version 27.3.9, 28.2.10, 29.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to improper handling of objects in memory in the Dawn component. An attacker can cause heap corruption and potentially execute arbitrary code by convincing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Media Session process. An attacker can execute arbitrary code inside a sandbox by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the scheduling process. An attacker can execute arbitrary code inside a sandbox by using a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of memory in the Dawn process. An attacker can cause heap corruption by crafting a malicious HTML page.

Note: 126.0.6478.56 is the fixed version for Windows and Mac. Version 126.0.6478.54 fixes the vulnerability in Linux

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Note: 126.0.6478.56 is the fixed version for Windows and Mac. Version 126.0.6478.54 fixes the vulnerability in Linux

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Use After Free vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: cross-spawn
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 yargs@8.0.2 os-locale@2.1.0 execa@0.7.0 cross-spawn@5.1.0

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

PoC

const { argument } = require('cross-spawn/lib/util/escape');
var str = "";
for (var i = 0; i < 1000000; i++) {
  str += "\\";
}
str += "◎";

console.log("start")
argument(str)
console.log("end")

// run `npm install cross-spawn` and `node attack.js` 
// then the program will stuck forever with high CPU usage

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade cross-spawn to version 6.0.6, 7.0.5 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@33.4.6.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in v8.

Remediation

Upgrade electron to version 33.4.6, 34.3.4 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

high severity

External Control of Assumed-Immutable Web Parameter

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via a crafted HTML page. An attacker can perform an out of bounds memory write by sending a specially crafted HTML content.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

External Control of Assumed-Immutable Web Parameter vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Skia.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Incorrect Calculation of Buffer Size

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@37.2.4.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size via insufficient validation of untrusted input in ANGLE and GPU. An attacker can escape the sandbox by submitting a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.4 or higher.

References

Incorrect Calculation of Buffer Size vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.7 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting malicious HTML content.

Remediation

Upgrade electron to version 32.3.0 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.2.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can potentially exploit heap corruption by sending a specially crafted HTML page to the victim.

Remediation

Upgrade electron to version 32.3.2, 33.4.2 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.2.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through crafted HTML pages. An attacker can exploit heap corruption by sending a specially crafted HTML page to the victim.

Remediation

Upgrade electron to version 32.3.2, 33.4.2 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in v8 engine.

Remediation

Upgrade electron to version 32.3.0 or higher.

References

Type Confusion vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@37.2.6.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via MediaStreamTrackImpl. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.6 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn component.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Swiftshader process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free due to the improper handling of memory in the Dawn component. An attacker can cause heap corruption and potentially execute arbitrary code by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.5, 30.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 30.4.0, 31.4.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Loader component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 30.4.0, 31.4.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Dawn component. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebAudio process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.2.5.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Serial process. An attacker can potentially exploit heap corruption.

Remediation

Upgrade electron to version 31.7.5, 32.2.5 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Compositing process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 31.7.7 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@33.4.3.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 33.4.3 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.3.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine.

Remediation

Upgrade electron to version 32.3.3, 33.4.3 or higher.

References

Use After Free vulnerability report

high severity

Improper Link Resolution Before File Access ('Link Following')

  • Vulnerable module: tar-fs
  • Introduced through: whatsapp-web.js@1.26.1-alpha.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d whatsapp-web.js@1.26.1-alpha.1 puppeteer@18.2.1 puppeteer-core@18.2.1 tar-fs@2.1.1

Overview

tar-fs is a filesystem bindings for tar-stream.

Affected versions of this package are vulnerable to Improper Link Resolution Before File Access ('Link Following') through the exports.extract function. An attacker can manipulate the path of extracted files to write outside the intended directory by crafting a malicious tarball.

Workaround

This vulnerability can be mitigated by using the ignore option to ignore paths like symlinks that are not files/directories.

  ignore (_, header) {
    // pass files & directories, ignore e.g. symlinks
    return header.type !== 'file' && header.type !== 'directory'
  }

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade tar-fs to version 1.16.5, 2.1.3, 3.0.9 or higher.

References

Improper Link Resolution Before File Access ('Link Following') vulnerability report

high severity

Symlink Attack

  • Vulnerable module: tar-fs
  • Introduced through: whatsapp-web.js@1.26.1-alpha.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d whatsapp-web.js@1.26.1-alpha.1 puppeteer@18.2.1 puppeteer-core@18.2.1 tar-fs@2.1.1

Overview

tar-fs is a filesystem bindings for tar-stream.

Affected versions of this package are vulnerable to Symlink Attack via the extraction process of a maliciously crafted tar file. An attacker can overwrite or write unauthorized files outside the intended directory by exploiting the path traversal and link following vulnerabilities.

Remediation

Upgrade tar-fs to version 1.16.4, 2.1.2, 3.0.7 or higher.

References

Symlink Attack vulnerability report

high severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@37.2.5.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via lack of support for escapes in PreParserIdentifier V8` process. An attacker can achieve heap corruption by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.5 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

high severity

External Control of Assumed-Immutable Web Parameter

  • Vulnerable module: electron
  • Introduced through: electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter due to an integer overflow in the Skia component.

Remediation

Upgrade electron to version 32.3.0, 33.3.2 or higher.

References

External Control of Assumed-Immutable Web Parameter vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the WebRTC component.

Remediation

Upgrade electron to version 17.4.11, 18.3.6 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the V8 engine. An attacker can corrupt memory and potentially execute arbitrary code by crafting a malicious HTML page.

Note: This is only exploitable if the user navigates to or is redirected to a malicious web page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation. It allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Remediation

Upgrade electron to version 10.4.2, 11.4.1 or higher.

References

Improper Input Validation vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds. Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. This vulnerability relates to an electron component.

Remediation

Upgrade electron to version 10.4.2, 11.4.1 or higher.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds when the V8 engine processes a carefully crafted HTML page. An attacker can perform an out of bounds memory read, thereby potentially gaining unauthorized access to sensitive information.

Remediation

Upgrade electron to version 22.3.23, 24.8.2, 25.8.0 or higher.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds memory access in V8 component. This vulnerability allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

Remediation

Upgrade electron to version 27.3.10, 28.3.0 or higher.

References

Out-of-Bounds vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the V8 engine. An attacker can access memory locations outside of the intended bounds by crafting a malicious HTML page.

Note: This is only exploitable if the user navigates to or is redirected to a malicious web page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.6, 27.2.3, 28.1.4 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.2.3.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in Dawn.

Remediation

Upgrade electron to version 31.7.4, 32.2.3 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in InferHasInPrototypeChain of the V8 engine.

Remediation

Upgrade electron to version 31.7.1, 32.2.1 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via the V8 engine.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Type Confusion vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@37.2.4.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via improper handling of possible socket destruction in P2PSocketTcpBase. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Mojo runtime libraries collection. This allows an attacker to exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 27.3.4, 28.2.5 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Audio process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Navigation process. An attacker can exploit heap corruption by convincing a user to install a malicious extension.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via specific UI gestures in the Screen Capture feature. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the Media Stream process. An attacker can potentially exploit heap corruption by convincing a user to perform specific UI gestures on a crafted HTML page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Use After Free vulnerability report

high severity

Improper Access Control

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control via nested unserializable return value when using contextIsolation and contextBridge are affected. Exploiting this vulnerability allows code running in the main world context in the renderer to reach into the isolated Electron context and perform privileged actions.

Note

This issue is exploitable under either of two conditions:

  1. If an API exposed to the main world via contextBridge can return an object or array that contains a JS object that cannot be serialized, such as a canvas rendering context. This would normally result in an Error: object could not be cloned exception being thrown.

  2. If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, such as a dynamic getter property on an object that throws an error when being computed.

Workaround

The app-side workaround is to ensure that such a case, as mentioned in the workaround section, is not possible.

Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult, so we strongly recommend you update to a patched version of Electron.

Remediation

Upgrade electron to version 23.2.3, 25.0.0-alpha.2 or higher.

References

Improper Access Control vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: xmldom
  • Introduced through: pragmatismo-io-framework@1.1.1, botlib@5.0.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 xmldom@0.6.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 xmldom@0.6.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d open-docxtemplater-image-module@1.0.3 xmldom@0.1.31
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 xmldom@0.1.27

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Prototype Pollution through the copy() function in dom.js. Exploiting this vulnerability is possible via the p variable.

DISPUTED This vulnerability has been disputed by the maintainers of the package. Currently the only viable exploit that has been demonstrated is to pollute the target object (rather then the global object which is generally the case for Prototype Pollution vulnerabilities) and it is yet unclear if this limited attack vector exposes any vulnerability in the context of this package.

See the linked GitHub Issue for full details on the discussion around the legitimacy and potential revocation of this vulnerability.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

There is no fixed version for xmldom.

References

Prototype Pollution vulnerability report

high severity

Asymmetric Resource Consumption (Amplification)

  • Vulnerable module: body-parser
  • Introduced through: body-parser@1.20.2 and express@4.19.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d body-parser@1.20.2
    Remediation: Upgrade to body-parser@1.20.3.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2 body-parser@1.20.2
    Remediation: Upgrade to express@4.20.0.

Overview

Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) via the extendedparser and urlencoded functions when the URL encoding process is enabled. An attacker can flood the server with a large number of specially crafted requests.

Remediation

Upgrade body-parser to version 1.20.3 or higher.

References

Asymmetric Resource Consumption (Amplification) vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Opening a BrowserView with sandbox: true or nativeWindowOpen: true and nodeIntegration: false results in a webContents where window.open() can be called and the newly opened child will have nodeIntegration enabled.

Remediation

Upgrade electron to version 2.0.17, 3.0.15, 3.1.3, 4.0.4, 5.0.0-beta.2 or higher.

If for some reason you are unable to upgrade your Electron version, you can mitigate this issue by disabling all child web contents: view.webContents.on('-add-new-contents', e => e.preventDefault());

References

Arbitrary Code Execution vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in GPU Video in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 22.3.5 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Site Isolation Bypass

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Site Isolation Bypass. parent_execution_origin_ is provided from parent's RenderFrameHostImpl::last_committed_origin_ that is set during navigation commit. Worker creation IPC from the renderer to browser could race with navigation commit, and could see the wrong last committed origin.

Remediation

Upgrade electron to version 7.2.2, 8.2.1 or higher.

References

Site Isolation Bypass vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. Since JavaScript may detach the underlying buffers, they need to be checked to ensure they're still valid before using them for decoding.

Remediation

Upgrade electron to version 10.2.0, 9.4.4 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. An AudioContext is considered to have activity if it's not closed. Previously, suspended contexts were considered has having no activity, but that's not quite true since the context can be resumed at any time after. This would allow contexts to be collected prematurely even though the context was resumed. This causes the audio thread to access objects that are possibly deleted.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.0.0-beta.6 or higher.

References

Use After Free vulnerability report

high severity

Insecure Defaults

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insecure Defaults. Insufficient policy enforcement in the File System API of chromium allows a remote attacker to bypass filesystem restrictions via a crafted HTML page.

Remediation

Upgrade electron to version 10.4.1, 11.4.1 or higher.

References

Insecure Defaults vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in the Compositing process. An attacker can potentially perform a sandbox escape by exploiting specific UI gestures. This is only exploitable if the attacker has already compromised the GPU process.

Remediation

Upgrade electron to version 27.3.11, 28.3.1, 29.3.1 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the WebGPU process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the ANGLE component. An attacker can potentially exploit heap corruption by convincing a user to visit a crafted HTML page.

Remediation

Upgrade electron to version 26.6.5, 27.2.2 or higher.

References

Use After Free vulnerability report

high severity

Privilege Escalation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Privilege Escalation. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

##Note: Only apps using contextIsolation are affected.

Remediation

Upgrade electron to version 7.2.4, 8.2.4 or higher.

References

Privilege Escalation vulnerability report

high severity

Uninitialized Memory Exposure

  • Vulnerable module: bl
  • Introduced through: botframework-connector@4.23.0, botbuilder@4.23.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2

Overview

bl is a library that allows you to collect buffers and access with a standard readable buffer interface.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

PoC by chalker

const { BufferList } = require('bl')
const secret = require('crypto').randomBytes(256)
for (let i = 0; i < 1e6; i++) {
  const clone = Buffer.from(secret)
  const bl = new BufferList()
  bl.append(Buffer.from('a'))
  bl.consume(-1024)
  const buf = bl.slice(1)
  if (buf.indexOf(clone) !== -1) {
    console.error(`Match (at ${i})`, buf)
  }
}

Remediation

Upgrade bl to version 2.2.1, 3.0.1, 4.0.3, 1.2.3 or higher.

References

Uninitialized Memory Exposure vulnerability report

high severity

Function Call with Incorrectly Specified Arguments

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@36.3.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Function Call with Incorrectly Specified Arguments via an incorrect handle provided in unspecified circumstances in Mojo. An attacker can reflect a broker-initiated transport back to a broker, which ultimately allows for handle leaks if the reflected transport is later used to deserialize another transport containing handles.

Remediation

Upgrade electron to version 36.3.0 or higher.

References

Function Call with Incorrectly Specified Arguments vulnerability report

high severity

Privilege Escalation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Privilege Escalation. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

##Note: Only apps using both contextIsolation and contextBridge are affected.

Remediation

Upgrade electron to version 7.2.4, 8.2.4 or higher.

References

Privilege Escalation vulnerability report

high severity

Privilege Escalation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Privilege Escalation. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

##Note: Only apps using contextIsolation are affected.

Remediation

Upgrade electron to version 6.1.11, 7.2.4, 8.2.4 or higher.

References

Privilege Escalation vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation in the USB component.

Remediation

Upgrade electron to version 25.9.4, 26.5.0, 27.0.4 or higher.

References

Improper Input Validation vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the USB component.

Remediation

Upgrade electron to version 25.9.4, 26.5.0, 27.0.4 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to NULL Pointer Dereference in V8, due to an object lifecycle issue involving scope inheritance.

Remediation

Upgrade electron to version 27.3.8, 28.2.9, 29.1.6 or higher.

References

NULL Pointer Dereference vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Animation component in Chromium.

Remediation

Upgrade electron to version 16.0.10, 17.1.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in V8, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

Use After Free vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: async
  • Introduced through: pragmatismo-io-framework@1.1.1 and botlib@5.0.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 async@2.6.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 async@2.6.0

Overview

Affected versions of this package are vulnerable to Prototype Pollution via the mapValues() method, due to improper check in createObjectIterator function.

PoC

//when objects are parsed, all properties are created as own (the objects can come from outside sources (http requests/ file))
const hasOwn = JSON.parse('{"__proto__": {"isAdmin": true}}');

//does not have the property,  because it's inside object's own "__proto__"
console.log(hasOwn.isAdmin);

async.mapValues(hasOwn, (val, key, cb) => cb(null, val), (error, result) => {
  // after the method executes, hasOwn.__proto__ value (isAdmin: true) replaces the prototype of the newly created object, leading to potential exploits.
  console.log(result.isAdmin);
});

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade async to version 2.6.4, 3.2.2 or higher.

References

Prototype Pollution vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) in PDF in Google Chrome, a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade electron to version 17.4.11, 18.3.7 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient validation of untrusted input in V8.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade electron to version 18.3.14 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to type confusion in V8, which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Denial of Service (DoS) via an Out of bounds memory access in V8.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade electron to version 27.3.6, 28.2.7, 29.1.2 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Freetype.

Remediation

Upgrade electron to version 8.5.3, 9.3.3, 10.1.5 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via V8.

Remediation

Upgrade electron to version 10.4.4, 11.4.4, 12.0.6 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read. An unknown vunerability exists in Chrome which affects electron.

Remediation

Upgrade electron to version 9.4.1, 10.3.2 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. FileChooserImpl can outlive ListenerProxy leading to a crash.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.0 or higher.

References

Use After Free vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. Initialize() could potentially run twice in MojoVideoEncodeAcceleratorService.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.1 or higher.

References

Use After Free vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution through the zipObjectDeep function due to improper user input sanitization in the baseZipObject function.

PoC

lodash.zipobjectdeep:

const zipObjectDeep = require("lodash.zipobjectdeep");

let emptyObject = {};


console.log(`[+] Before prototype pollution : ${emptyObject.polluted}`);
//[+] Before prototype pollution : undefined

zipObjectDeep(["constructor.prototype.polluted"], [true]);
//we inject our malicious attributes in the vulnerable function

console.log(`[+] After prototype pollution : ${emptyObject.polluted}`);
//[+] After prototype pollution : true

lodash:

const test = require("lodash");

let emptyObject = {};


console.log(`[+] Before prototype pollution : ${emptyObject.polluted}`);
//[+] Before prototype pollution : undefined

test.zipObjectDeep(["constructor.prototype.polluted"], [true]);
//we inject our malicious attributes in the vulnerable function

console.log(`[+] After prototype pollution : ${emptyObject.polluted}`);
//[+] After prototype pollution : true

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.17 or higher.

References

Prototype Pollution vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: nth-check
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 cheerio@1.0.0-rc.2 css-select@1.2.0 nth-check@1.0.2

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing crafted invalid CSS nth-checks, due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? in RE_NTH_ELEMENT with quantified overlapping adjacency.

PoC

var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade nth-check to version 2.0.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: semver
  • Introduced through: botframework-connector@4.23.0, botbuilder@4.23.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2

Overview

semver is a semantic version parser used by npm.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

PoC


const semver = require('semver')
const lengths_2 = [2000, 4000, 8000, 16000, 32000, 64000, 128000]

console.log("n[+] Valid range - Test payloads")
for (let i = 0; i =1.2.3' + ' '.repeat(lengths_2[i]) + '<1.3.0';
const start = Date.now()
semver.validRange(value)
// semver.minVersion(value)
// semver.maxSatisfying(["1.2.3"], value)
// semver.minSatisfying(["1.2.3"], value)
// new semver.Range(value, {})

const end = Date.now();
console.log('length=%d, time=%d ms', value.length, end - start);
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade semver to version 5.7.2, 6.3.1, 7.5.2 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: trim-newlines
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 meow@3.7.0 trim-newlines@1.0.0

Overview

trim-newlines is a Trim newlines from the start and/or end of a string

Affected versions of this package are vulnerable to Denial of Service (DoS) via the end() method.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade trim-newlines to version 3.0.1, 4.0.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: ws
  • Introduced through: whatsapp-web.js@1.26.1-alpha.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d whatsapp-web.js@1.26.1-alpha.1 puppeteer@18.2.1 puppeteer-core@18.2.1 ws@8.9.0

Overview

ws is a simple to use websocket client, server and console for node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the number of received headers exceed the server.maxHeadersCount or request.maxHeadersCount threshold.

Workaround

This issue can be mitigating by following these steps:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.

  2. Set server.maxHeadersCount to 0 so that no limit is applied.

PoC


const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ws to version 5.2.4, 6.2.3, 7.5.10, 8.17.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: xlsx
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12

Overview

xlsx is a Parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker who can send a malicious excel file parsed by this library can crash the Node.JS process.

Note:

xlsx package after version 0.18.5 is distributed only via the authoritative source for SheetJS modules. See this issue (https://github.com/SheetJS/sheetjs/issues/2667) for full details.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade xlsx to version 0.17.0 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: xlsx
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12

Overview

xlsx is a Parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker who can send a malicious excel file parsed by this library can cause maximum CPU usage.

Note:

xlsx package after version 0.18.5 is distributed only via the authoritative source for SheetJS modules. See this issue (https://github.com/SheetJS/sheetjs/issues/2667) for full details.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade xlsx to version 0.17.0 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: xlsx
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12

Overview

xlsx is a Parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker who can send a malicious excel file parsed by this library can crash the Node.JS process.

Note:

xlsx package after version 0.18.5 is distributed only via the authoritative source for SheetJS modules. See this issue (https://github.com/SheetJS/sheetjs/issues/2667) for full details.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade xlsx to version 0.17.0 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: xlsx
  • Introduced through: @nosferatu500/textract@3.1.3, node-nlp@4.27.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d @nosferatu500/textract@3.1.3 xlsx@0.18.5
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d node-nlp@4.27.0 @nlpjs/xtables@4.25.0 xlsx@0.18.5
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12

Overview

xlsx is a Parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple functions, allowing an attacker to crash the system by submitting specially crafted input.

Note:

This vulnerability was fixed in version 0.20.2 of SheetJS that is distributed only via the authoritative source for SheetJS modules. See this issue (https://github.com/SheetJS/sheetjs/issues/2667) for full details.

PoC


//Crafted file

node -e 'console.log("<!--".repeat(150387))' > evilFile.xlsx

//Snippet code for xlsx

const xlsx = require('xlsx'); 

(() => {
    console.time()
    xlsx.readFile('./evilFile.xlsx', {});
    console.timeEnd()
})();

//Snippet code for @e965/xlsx

const @e965/xlsx = require('@e965/xlsx'); 

(() => {
    console.time()
    @e965/xlsx.readFile('./evilFile.xlsx', {});
    console.timeEnd()
})();

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

A fix was pushed into the master branch but not yet published.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Directory Traversal

  • Vulnerable module: adm-zip
  • Introduced through: @nosferatu500/textract@3.1.3 and textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d @nosferatu500/textract@3.1.3 epub2@1.3.8 adm-zip@0.4.16
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 epub2@1.3.4 adm-zip@0.4.16

Overview

adm-zip is a JavaScript implementation for zip data compression for NodeJS.

Affected versions of this package are vulnerable to Directory Traversal. It could extract files outside the target folder.

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade adm-zip to version 0.5.2 or higher.

References

Directory Traversal vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read via the IPC in chromium.

Remediation

Upgrade electron to version 11.4.4, 10.4.4 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to Node being enabled in a webview because the default values of nodeIntegration and webviewTag were set to true when they where undefined by a user. The fix allows users to prevent Node and webview being enabled, when undefined, by setting the default values of nodeIntegration and webviewTag to false.

Remediation

Upgrade electron to version 5.0.0-beta.1 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Buffer Overflow in ANGLE.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Reader Mode.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in History.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Media Feeds.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the Blink module in Chromium.

Remediation

Upgrade electron to version 14.2.0, 13.5.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in WebGPU.

Remediation

Upgrade electron to version 16.2.5, 17.4.3 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in V8 Internationalization.

Remediation

Upgrade electron to version 15.5.6, 16.2.7, 17.4.5 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Crashpad in Google Chrome on Android, which allows a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Remediation

Upgrade electron to version 19.1.7, 20.3.7 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Network Service via a crafted HTML page and specific interactions.

Remediation

Upgrade electron to version 20.3.10, 21.3.5 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Metrics by allowing a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 21.4.4, 22.3.5 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in vp8 encoding in libvpx.

Remediation

Upgrade electron to version 22.3.25, 24.8.5, 25.8.4, 26.2.4, 27.0.0-beta.8 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the WebRTC framework, used to provide Real-Time Communications (RTC) capabilities via JavaScript APIs.

Remediation

Upgrade electron to version 26.6.3, 27.2.0, 28.1.0 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ANGLE process. An attacker can perform an out of bounds memory read via a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the Dawn process. An attacker can perform an out of bounds memory write by exploiting a crafted HTML page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions which returns an invalid handle after ReportBadMessage

Remediation

Upgrade electron to version 14.2.7, 15.4.0, 16.0.10 or higher.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation in Blink Editing.

Remediation

Upgrade electron to version 15.5.4, 16.2.6, 17.4.3, 18.2.2 or higher.

References

Improper Input Validation vulnerability report

high severity

Improper Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Validation. The value of a node was accessed without prior HasValue check. With WebAssembly this node is not guaranteed to be a value.

Remediation

Upgrade electron to version 10.1.6, 9.4.4 or higher.

References

Improper Validation vulnerability report

high severity

Inappropriate implementation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Inappropriate implementation in Input.

Remediation

Upgrade electron to version 15.5.5, 16.2.6, 17.4.4, 18.2.2 or higher.

References

Inappropriate implementation vulnerability report

high severity

Insufficient Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insufficient Validation in V8.

Remediation

Upgrade electron to version 9.4.0, 10.2.0 or higher.

References

Insufficient Validation vulnerability report

high severity

Insufficient Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insufficient Validation via an unknown issue in chromium.

Remediation

Upgrade electron to version 9.4.2, 10.3.1, 11.2.2 or higher.

References

Insufficient Validation vulnerability report

high severity

Out-of-Bounds

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds in ANGLE.

Remediation

Upgrade electron to version 13.5.0, 12.2.0 or higher.

References

Out-of-Bounds vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs.

This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.0 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Race Condition

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Race Condition in Aura.

Remediation

Upgrade electron to version 12.0.10, 11.4.8, 10.4.7 or higher.

References

Race Condition vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion due to mishandling of interceptors which can lead to out-of-bounds memory access.

Remediation

Upgrade electron to version 15.5.0, 16.2.0 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 15.5.3, 16.2.3, 17.4.1 or higher.

References

Type Confusion vulnerability report

high severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion due to a type confusion in V8. A remote attacker could exploit heap corruption via a crafted HTML page.

Note: The Stable channel has been updated to 120.0.6099.234 for Mac devices.

Remediation

Upgrade electron to version 26.6.6, 27.2.3, 28.1.4 or higher.

References

Type Confusion vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in V8.

Remediation

Upgrade electron to version 13.6.6, 14.2.4 or higher.

References

Use After Free vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

PoC by Snyk

const mergeFn = require('lodash').defaultsDeep;
const payload = '{"constructor": {"prototype": {"a0": true}}}'

function check() {
    mergeFn({}, JSON.parse(payload));
    if (({})[`a0`] === true) {
        console.log(`Vulnerable to Prototype Pollution via ${payload}`);
    }
  }

check();

For more information, check out our blog post

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.12 or higher.

References

Prototype Pollution vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution via the set and setwith functions due to improper user input sanitization.

PoC

lod = require('lodash')
lod.set({}, "__proto__[test2]", "456")
console.log(Object.prototype)

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.17 or higher.

References

Prototype Pollution vulnerability report

high severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to CVE-2018-3721.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.11 or higher.

References

Prototype Pollution vulnerability report

high severity

Code Injection

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Code Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

Upgrade lodash to version 4.17.21 or higher.

References

Code Injection vulnerability report

high severity

Cross-site Request Forgery (CSRF)

  • Vulnerable module: axios
  • Introduced through: ms-rest-azure@3.0.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 adal-node@0.2.4 axios@0.21.4

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.

Remediation

Upgrade axios to version 0.28.0, 1.6.0 or higher.

References

Cross-site Request Forgery (CSRF) vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in WebRTC, exploitable via a crafted HTML page.

Remediation

Upgrade electron to version 22.3.16 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Media Stream process. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

Remediation

Upgrade electron to version 26.6.3, 27.2.0 or higher.

References

Use After Free vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in Skia.

Remediation

Upgrade electron to version 31.7.2, 32.2.2 or higher.

References

Out-of-bounds Read vulnerability report

high severity

AGPL-3.0 license

  • Module: botlib
  • Introduced through: botlib@5.0.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0

AGPL-3.0 license

AGPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: ffmpeg-static
  • Introduced through: ffmpeg-static@5.2.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ffmpeg-static@5.2.0

GPL-3.0 license

GPL-3.0 license vulnerability report

high severity

GPL-3.0 license

  • Module: whatsapp-cloud-api
  • Introduced through: whatsapp-cloud-api@0.3.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d whatsapp-cloud-api@0.3.1

GPL-3.0 license

GPL-3.0 license vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: axios
  • Introduced through: ms-rest-azure@3.0.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 adal-node@0.2.4 axios@0.21.4

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the data: URL handler. An attacker can trigger a denial of service by crafting a data: URL with an excessive payload, causing allocation of memory for content decoding before verifying content size limits.

Remediation

Upgrade axios to version 1.12.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.2.3.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption.

Remediation

Upgrade electron to version 31.7.4, 32.2.3 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

medium severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.2.3.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption.

Remediation

Upgrade electron to version 32.2.3 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

medium severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: electron
  • Introduced through: electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.2.8.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit object corruption by manipulating the HTML content.

Remediation

Upgrade electron to version 31.7.7, 32.2.8 or higher.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

medium severity

Access Restriction Bypass

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.2.5.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access Restriction Bypass due to an inappropriate implementation in the Extensions feature. An attacker can bypass site isolation.

Remediation

Upgrade electron to version 31.7.5, 32.2.5, 33.2.1 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in Fonts.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the V8 engine.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@32.3.2.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in v8, when processing a very large number of parameters.

Remediation

Upgrade electron to version 32.3.2, 33.4.2 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Improper Isolation or Compartmentalization

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@33.4.8.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization that allows an attacker who can convince a user to follow a malicious link to escape sandbox protections, due to a logic error in the Mojo component. This vulnerability does not enable code execution on its own, but is presumed chainable with another vulnerability to achieve code execution and has been observed in the wild.

Note: This vulnerability is only exploitable on Windows.

Remediation

Upgrade electron to version 33.4.8, 34.4.1, 35.1.2 or higher.

References

Improper Isolation or Compartmentalization vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@37.2.4.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via an incorrect count being passed to InstructionAccurateScope in the V8 engine. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.

Remediation

Upgrade electron to version 37.2.4 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion. An attacker can access memory locations outside of the intended bounds by crafting a malicious HTML page that triggers type confusion in the V8 engine.

Remediation

Upgrade electron to version 31.7.2 or higher.

References

Type Confusion vulnerability report

medium severity

Arbitrary File Write via Archive Extraction (Zip Slip)

  • Vulnerable module: langchain
  • Introduced through: langchain@0.2.17

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d langchain@0.2.17
    Remediation: Upgrade to langchain@0.2.19.

Overview

langchain is a Typescript bindings for langchain

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the getFullPath method, which allows an attacker to save files anywhere in the filesystem through the setFileContent function, overwrite and read existing text files through the getParsedFile function, and delete files through the mdelete function.

Details

It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:


+2018-04-15 22:04:29 ..... 19 19 good.txt

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade langchain to version 0.2.19 or higher.

References

Arbitrary File Write via Archive Extraction (Zip Slip) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: path-to-regexp
  • Introduced through: express@4.19.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2 path-to-regexp@0.1.7
    Remediation: Upgrade to express@4.20.0.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

Note: While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

Workaround

This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

PoC

/a${'-a'.repeat(8_000)}/a

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: path-to-regexp
  • Introduced through: express@4.19.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2 path-to-regexp@0.1.7
    Remediation: Upgrade to express@4.21.2.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, when the separator is not . (e.g. no /:a-:b). Poor performance will block the event loop and can lead to a DoS.

Note:

This issue is caused due to an incomplete fix for CVE-2024-45296.

Workarounds

This can be mitigated by avoiding using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, the regex used for both parameters can be defined to ensure they do not overlap to allow backtracking.

PoC

/a${'-a'.repeat(8_000)}/a

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade path-to-regexp to version 0.1.12 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Arbitrary File Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary File Read. It allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Remediation

Upgrade electron to version 7.2.4, 8.2.4 or higher.

References

Arbitrary File Read vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound when decoding videos with a large frame size. An attacker can cause memory corruption within the AV1 decoder by providing a specially crafted video file.

Remediation

Upgrade electron to version 27.3.11, 28.3.1 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via Angle, where base level changes may not update FBO completeness check.

Remediation

Upgrade electron to version 16.2.0 or higher.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free. The rendering_orphan_handlers_ and deletable_orphan_handlers_ handlers can hold references to the context after BaseAudioContext is destroyed.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.1 or higher.

References

Use After Free vulnerability report

medium severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: jsonwebtoken
  • Introduced through: nexmo@2.9.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d nexmo@2.9.1 jsonwebtoken@8.5.1

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Exploitability

Users are affected when using an algorithm and a key type other than the combinations mentioned below:

EC: ES256, ES384, ES512

RSA: RS256, RS384, RS512, PS256, PS384, PS512

RSA-PSS: PS256, PS384, PS512

And for Elliptic Curve algorithms:

ES256: prime256v1

ES384: secp384r1

ES512: secp521r1

Workaround

Users who are unable to upgrade to the fixed version can use the allowInvalidAsymmetricKeyTypes option to true in the sign() and verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation which allows attackers who have control over a given app's update server or update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Remediation

Upgrade electron to version 15.5.0, 16.2.0, 17.2.0, 18.0.0 or higher.

References

Improper Input Validation vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: csv-parse
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 csv@0.4.6 csv-parse@1.3.3

Overview

csv-parse is a parser converting CSV text input into arrays or objects.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The __isInt() function contains a malformed regular expression that processes large specially-crafted input very slowly, leading to a Denial of Service. This is triggered when using the cast option.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade csv-parse to version 4.4.6 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Access Restriction Bypass

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access Restriction Bypass. Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. This vulnerability relates to an electron component.

Remediation

Upgrade electron to version 10.4.3, 11.4.1 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

Domain Spoofing

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Domain Spoofing via a crafted HTML page as a result of inappropriate implementation in navigation in Google Chrome.

Remediation

Upgrade electron to version 16.0.0 or higher.

References

Domain Spoofing vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in WebGL via Chrome. This allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.1.8, 12.0.16, 11.4.11 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation via the File System API.

Remediation

Upgrade electron to version 11.2.1, 9.4.4 or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation in Data Transfer, because the sanitization code only does one round of parsing and serializing.

Remediation

Upgrade electron to version 17.4.8, 18.3.5 or higher.

References

Improper Input Validation vulnerability report

medium severity

Inappropriate Implementation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Inappropriate Implementation via cache in Google Chrome. This allows a remote attacker to leak cross-origin data via a crafted HTML page.

Remediation

Upgrade electron to version 13.6.6, 14.2.2, 15.3.3 or higher.

References

Inappropriate Implementation vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure. When a BigInt is right-shifted the backing store is not properly cleared, allowing uninitialized memory to be read.

Remediation

Upgrade electron to version 9.4.1, 10.3.2 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure via the core module in Chromium.

Remediation

Upgrade electron to version 14.2.0, 13.5.2, 12.2.2 or higher.

References

Information Exposure vulnerability report

medium severity

Improper Restriction of Security Token Assignment

  • Vulnerable module: jsonwebtoken
  • Introduced through: nexmo@2.9.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d nexmo@2.9.1 jsonwebtoken@8.5.1

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the secretOrPublicKey argument due to misconfigurations of the key retrieval function jwt.verify(). Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm.

Note: This vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in jwt.verify() implementation with the same key retrieval function.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

Improper Restriction of Security Token Assignment vulnerability report

medium severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: request
  • Introduced through: instagram-private-api@1.46.1, ms-rest-azure@3.0.2 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d instagram-private-api@1.46.1 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d nexmo@2.9.1 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 ms-rest@2.5.6 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d get-image-colors@4.0.1 get-pixels@3.3.3 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 azure-cognitiveservices-textanalytics@2.0.0 ms-rest@2.5.6 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 ms-rest@2.5.6 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 azure-cognitiveservices-textanalytics@2.0.0 ms-rest@2.5.6 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 ms-rest@2.5.6 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 request@2.88.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8 electron-download@3.3.0 nugget@2.2.0 request@2.88.2

Overview

request is a simplified http request client.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the lib/redirect.js file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: request package has been deprecated, so a fix is not expected. See https://github.com/request/request/issues/3142.

Remediation

A fix was pushed into the master branch but not yet published.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: tough-cookie
  • Introduced through: instagram-private-api@1.46.1, ms-rest-azure@3.0.2 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d instagram-private-api@1.46.1 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d instagram-private-api@1.46.1 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d nexmo@2.9.1 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d instagram-private-api@1.46.1 request-promise@4.2.6 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 ms-rest@2.5.6 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d get-image-colors@4.0.1 get-pixels@3.3.3 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 request-promise@4.2.6 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 azure-cognitiveservices-textanalytics@2.0.0 ms-rest@2.5.6 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 ms-rest@2.5.6 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 azure-cognitiveservices-textanalytics@2.0.0 ms-rest@2.5.6 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 ms-rest@2.5.6 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 request@2.88.2 tough-cookie@2.5.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8 electron-download@3.3.0 nugget@2.2.0 request@2.88.2 tough-cookie@2.5.0

Overview

tough-cookie is a RFC6265 Cookies and CookieJar module for Node.js.

Affected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. Due to an issue with the manner in which the objects are initialized, an attacker can expose or modify a limited amount of property information on those objects. There is no impact to availability.

PoC

// PoC.js
async function main(){
var tough = require("tough-cookie");
var cookiejar = new tough.CookieJar(undefined,{rejectPublicSuffixes:false});
// Exploit cookie
await cookiejar.setCookie(
  "Slonser=polluted; Domain=__proto__; Path=/notauth",
  "https://__proto__/admin"
);
// normal cookie
var cookie = await cookiejar.setCookie(
  "Auth=Lol; Domain=google.com; Path=/notauth",
  "https://google.com/"
);

//Exploit cookie
var a = {};
console.log(a["/notauth"]["Slonser"])
}
main();

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade tough-cookie to version 4.1.3 or higher.

References

Prototype Pollution vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: xmldom
  • Introduced through: pragmatismo-io-framework@1.1.1, botlib@5.0.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 xmldom@0.6.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 pragmatismo-io-framework@1.1.1 ms-rest-azure@2.5.9 adal-node@0.1.28 xmldom@0.6.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d open-docxtemplater-image-module@1.0.3 xmldom@0.1.31
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 xmldom@0.1.27

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Improper Input Validation. It does not correctly escape special characters when serializing elements are removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Note: Customers who use "xmldom" package, should use "@xmldom/xmldom" instead, as "xmldom" is no longer maintained.

Remediation

There is no fixed version for xmldom.

References

Improper Input Validation vulnerability report

medium severity

Improper Authentication

  • Vulnerable module: jsonwebtoken
  • Introduced through: nexmo@2.9.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d nexmo@2.9.1 jsonwebtoken@8.5.1

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Exploitability

Users are affected only if all of the following conditions are true for the jwt.verify() function:

  1. A token with no signature is received.

  2. No algorithms are specified.

  3. A falsy (e.g., null, false, undefined) secret or key is passed.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

Improper Authentication vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: cookie
  • Introduced through: express@4.19.2 and swagger-client@3.29.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2 cookie@0.6.0
    Remediation: Upgrade to express@4.21.1.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d swagger-client@3.29.2 cookie@0.6.0
    Remediation: Upgrade to swagger-client@3.29.4.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the cookie name, path, or domain, which can be used to set unexpected values to other cookie fields.

Workaround

Users who are not able to upgrade to the fixed version should avoid passing untrusted or arbitrary values for the cookie fields and ensure they are set by the application instead of user input.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade cookie to version 0.7.0 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation in file system.

Remediation

Upgrade electron to version 19.1.5, 21.2.2 or higher.

References

Improper Input Validation vulnerability report

medium severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in V8.

Remediation

Upgrade electron to version 15.5.3, 16.2.4, 17.4.2 or higher.

References

Type Confusion vulnerability report

medium severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in Network service.

Remediation

Upgrade electron to version 12.0.13, 11.4.10 or higher.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via sqlite. This can allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade electron to version 13.1.8, 12.0.16, 11.4.11 or higher.

References

Use After Free vulnerability report

medium severity

Arbitrary File Write via Archive Extraction (Zip Slip)

  • Vulnerable module: jszip
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12 jszip@2.4.0

Overview

jszip is a Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper sanitization of filenames when files are loaded with the loadAsync method.

Details

It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:


+2018-04-15 22:04:29 ..... 19 19 good.txt

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade jszip to version 2.7.0, 3.8.0 or higher.

References

Arbitrary File Write via Archive Extraction (Zip Slip) vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1
    Remediation: Open PR to patch lodash@3.10.1.

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property.

PoC by Olivier Arteau (HoLyVieR)

var _= require('lodash');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
_.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade lodash to version 4.17.5 or higher.

References

Prototype Pollution vulnerability report

medium severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: axios
  • Introduced through: ms-rest-azure@3.0.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 adal-node@0.2.4 axios@0.21.4

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTTP adapter. An attacker could launch SSRF attacks or exfiltrate sensitive data by tricking applications into sending requests to malicious endpoints.

PoC

const axios = require('axios');
const client = axios.create({baseURL: 'http://example.com/', allowAbsoluteUrls: false});
client.get('http://evil.com');

Remediation

Upgrade axios to version 0.30.0, 1.8.2 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: axios
  • Introduced through: ms-rest-azure@3.0.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 adal-node@0.2.4 axios@0.21.4

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to not setting allowAbsoluteUrls to false by default when processing a requested URL in buildFullPath(). It may not be obvious that this value is being used with the less safe default, and URLs that are expected to be blocked may be accepted. This is a bypass of the fix for the vulnerability described in CVE-2025-27152.

Remediation

Upgrade axios to version 0.30.0, 1.8.3 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity

Race Condition

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Race Condition via a crafted Chrome Extension. An attacker who convinced a user to install a malicious extension can inject scripts or HTML into a privileged page.

Remediation

Upgrade electron to version 29.4.6, 30.4.0 or higher.

References

Race Condition vulnerability report

medium severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the xmlTextReader module. An attacker can cause denial of service by processing crafted XML documents with DTD validation and XInclude expansion enabled.

Remediation

Upgrade electron to version 27.3.5, 28.2.6 or higher.

References

Use After Free vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: inflight
  • Introduced through: sequelize-typescript@2.1.6, ssr-for-bots@1.0.1-c and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d sequelize-typescript@2.1.6 glob@7.2.0 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ssr-for-bots@1.0.1-c tslint@6.1.3 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 sequelize-typescript@2.1.6 glob@7.2.0 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d bcrypt@5.1.1 @mapbox/node-pre-gyp@1.0.11 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ssr-for-bots@1.0.1-c puppeteer@5.5.0 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d exceljs@4.4.0 archiver@5.3.2 archiver-utils@2.1.0 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d pdf-to-png-converter@3.3.0 canvas@2.11.2 @mapbox/node-pre-gyp@1.0.11 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d puppeteer-extra-plugin-stealth@2.11.2 puppeteer-extra-plugin-user-preferences@2.4.1 puppeteer-extra-plugin-user-data-dir@2.4.1 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d whatsapp-web.js@1.26.1-alpha.1 puppeteer@18.2.1 puppeteer-core@18.2.1 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d exceljs@4.4.0 unzipper@0.10.14 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d exceljs@4.4.0 archiver@5.3.2 zip-stream@4.1.1 archiver-utils@3.0.4 glob@7.2.3 inflight@1.0.6
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8 electron-download@3.3.0 fs-extra@0.30.0 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity

Insufficient Verification of Data Authenticity

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity when the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses are enabled.

An attacker can edit files inside the .app bundle on macOS, which these fuses are supposed to protect against, by gaining write access to the filesystem from which the app is launched.

Note

This is only exploitable if your app is launched from a filesystem the attacker has write access to and is specific to macOS, as these fuses are only supported on macOS.

Remediation

Upgrade electron to version 22.3.24, 24.8.3, 25.8.1, 26.2.1 or higher.

References

Insufficient Verification of Data Authenticity vulnerability report

medium severity

Access Control Bypass

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access Control Bypass due to insufficient policy enforcement in Cookies.

Remediation

Upgrade electron to version 18.3.9, 19.0.12 or higher.

References

Access Control Bypass vulnerability report

medium severity

Protection Mechanism Failure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Protection Mechanism Failure in File System API.

Remediation

Upgrade electron to version 17.4.9, 18.3.6, 19.0.7 or higher.

References

Protection Mechanism Failure vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: marked
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 marked@0.6.2

Overview

marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The em regex within src/rules.js file have multiple unused capture groups which could lead to a denial of service attack if user input is reachable.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade marked to version 1.1.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure in that it reveals hashed credentials when the target of a redirect is an SMB URL, such as one using the file:// scheme.

NOTE: This vulnerability is only exploitable on Windows.

Workaround

This vulnerability can be worked around by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event.

Remediation

Upgrade electron to version 18.3.7, 19.0.11, 20.0.1 or higher.

References

Information Exposure vulnerability report

medium severity

Buffer Underflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Buffer Underflow. Since there may be multiple instance of DWriteFontProxyImpl instantiated for multiple RenderProcessHosts, and DWriteFontProxyImpl::GetUniqueNameLookupTable may access DWriteFontLookupTableBuilder::QueueShareMemoryRegionWhenReady from separate threads, there may be race conditions around the pending_callbacks_ member of DWriteFontLookupTableBuilder.

Remediation

Upgrade electron to version 6.1.10, 7.2.2, 8.2.0 or higher.

References

Buffer Underflow vulnerability report

medium severity

Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Buffer Overflow when changing the PDF layout confuses AddFindResult() and causes it to fail a DCHECK()

Remediation

Upgrade electron to version 18.3.8, 19.0.13 or higher.

References

Buffer Overflow vulnerability report

medium severity

Improper Control of a Resource Through its Lifetime

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Control of a Resource Through its Lifetime in the FramebufferAttachment::mRenderToTextureSamples method in Angle. It was never updated if the renderbuffer storage was changed after attaching to framebuffer.

Remediation

Upgrade electron to version 13.6.8, 14.2.4, 15.3.6 or higher.

References

Improper Control of a Resource Through its Lifetime vulnerability report

medium severity

Inappropriate implementation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Inappropriate implementation in WebGL.

Remediation

Upgrade electron to version 16.2.5, 17.4.3 or higher.

References

Inappropriate implementation vulnerability report

medium severity

Inappropriate implementation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Inappropriate implementation in Web Cursor.

Remediation

Upgrade electron to version 15.5.4, 16.2.3, 17.4.1 or higher.

References

Inappropriate implementation vulnerability report

medium severity

Inappropriate Implementation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Inappropriate Implementation via service workers in Google Chrome. This allows a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

Remediation

Upgrade electron to version 14.2.2, 15.3.3 or higher.

References

Inappropriate Implementation vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure. Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nodeIntegrationInSubFrames: true are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Remediation

Upgrade electron to version 8.5.2, 9.3.1, 10.1.2, 11.0.0-beta.6 or higher.

References

Information Exposure vulnerability report

medium severity

Sandbox Bypass

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Sandbox Bypass via chromium, due to a child process's delayed integrity level not being set correctly.

Remediation

Upgrade electron to version 12.2.2, 13.5.2, 14.2.0 or higher.

References

Sandbox Bypass vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: yargs-parser
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 yargs@8.0.2 yargs-parser@7.0.0

Overview

yargs-parser is a mighty option parser used by yargs.

Affected versions of this package are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Our research team checked several attack vectors to verify this vulnerability:

  1. It could be used for privilege escalation.
  2. The library could be used to parse user input received from different sources:
    • terminal emulators
    • system calls from other code bases
    • CLI RPC servers

PoC by Snyk

const parser = require("yargs-parser");
console.log(parser('--foo.__proto__.bar baz'));
console.log(({}).bar);

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade yargs-parser to version 5.0.1, 13.1.2, 15.0.1, 18.1.1 or higher.

References

Prototype Pollution vulnerability report

medium severity

Exposure of Resource to Wrong Sphere

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere which allows a renderer with JS execution to obtain access to a new renderer process even without nodeIntegrationInSubFrames being enabled, that allows effective access to ipcRenderer.

Remediation

Upgrade electron to version 15.5.6, 16.2.6, 17.2.0, 18.0.0 or higher.

References

Exposure of Resource to Wrong Sphere vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow. The nativeImage.createFromPath or nativeImage.createFromBuffer APIs in Electron, which make use of Chromium's JPEGCodec::Decode, are vulnerable to a heap-based buffer overflow. An attacker can execute arbitrary code or cause a crash by supplying specially crafted image data.

Remediation

Upgrade electron to version 28.3.2, 29.3.3, 30.0.3 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Open Redirect

  • Vulnerable module: got
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 got@5.7.1

Overview

Affected versions of this package are vulnerable to Open Redirect due to missing verification of requested URLs. It allowed a victim to be redirected to a UNIX socket.

Remediation

Upgrade got to version 11.8.5, 12.1.0 or higher.

References

Open Redirect vulnerability report

medium severity

XML External Entity (XXE) Injection

  • Vulnerable module: xmldom
  • Introduced through: open-docxtemplater-image-module@1.0.3 and textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d open-docxtemplater-image-module@1.0.3 xmldom@0.1.31
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 xmldom@0.1.27

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Does not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade xmldom to version 0.5.0 or higher.

References

XML External Entity (XXE) Injection vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: axios
  • Introduced through: ms-rest-azure@3.0.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d ms-rest-azure@3.0.2 adal-node@0.2.4 axios@0.21.4

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can deplete system resources by providing a manipulated string as input to the format method, causing the regular expression to exhibit a time complexity of O(n^2). This makes the server to become unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.

PoC

const axios = require('axios');

console.time('t1');
axios.defaults.baseURL = '/'.repeat(10000) + 'a/';
axios.get('/a').then(()=>{}).catch(()=>{});
console.timeEnd('t1');

console.time('t2');
axios.defaults.baseURL = '/'.repeat(100000) + 'a/';
axios.get('/a').then(()=>{}).catch(()=>{});
console.timeEnd('t2');


/* stdout
t1: 60.826ms
t2: 5.826s
*/

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade axios to version 0.29.0, 1.6.3 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation. It is possible to kill a renderer if it provides an unexpected FrameOwnerElementType.

Remediation

Upgrade electron to version 13.5.1, 12.2.1 or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation. in Internals, due to not treating % as a special character in pathname resolution.

NOTE: This vulnerability is only exploitable when running on Windows.

Remediation

Upgrade electron to version 18.3.8, 19.0.13 or higher.

References

Improper Input Validation vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure. IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

Remediation

Upgrade electron to version 9.4.0, 10.2.0, 11.1.0, 12.0.0-beta.9 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure. The is a side-channel information leakage in autofill.

Remediation

Upgrade electron to version 11.4.0, 10.4.1 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure where ImageBitmaps that is created by webGL contexts will fail to render.

Remediation

Upgrade electron to version 14.2.8, 15.4.2, 16.2.0 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure in Background Fetch, by exposing URLs during cross-origin redirects.

Remediation

Upgrade electron to version 18.3.9, 19.0.12 or higher.

References

Information Exposure vulnerability report

medium severity

Out-of-Bounds

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-Bounds. An out of bounds write issue exists in engine.

Remediation

Upgrade electron to version 13.5.0, 12.1.2 or higher.

References

Out-of-Bounds vulnerability report

medium severity

Type Confusion

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion via a crafted HTML page in the V8 engine.

**Note: ** This is only exploitable if the user navigates to or is redirected to the malicious page.

Remediation

Upgrade electron to version 29.4.3 or higher.

References

Type Confusion vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: fast-csv
  • Introduced through: csv-database@0.9.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d csv-database@0.9.2 fast-csv@2.5.0

Overview

fast-csv is a CSV parser and writer

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when using ignoreEmpty option when parsing. You will only be affected by this if you use the ignoreEmpty parsing option.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade fast-csv to version 4.3.6 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: jszip
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12 jszip@2.4.0

Overview

jszip is a Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Affected versions of this package are vulnerable to Denial of Service (DoS). Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

PoC

const jszip = require('jszip');

async function loadZip() {
// this is a raw buffer of demo.zip containing 2 empty files:
// - "file.txt"
// - "toString"
const demoZip = Buffer.from('UEsDBBQACAAIANS8kVIAAAAAAAAAAAAAAAAIACAAdG9TdHJpbmdVVA0AB3Bje2BmY3tgcGN7YHV4CwABBPUBAAAEFAAAAAMAUEsHCAAAAAACAAAAAAAAAFBLAwQUAAgACADDvJFSAAAAAAAAAAAAAAAACAAgAGZpbGUudHh0VVQNAAdPY3tg4FJ7YE9je2B1eAsAAQT1AQAABBQAAAADAFBLBwgAAAAAAgAAAAAAAABQSwECFAMUAAgACADUvJFSAAAAAAIAAAAAAAAACAAgAAAAAAAAAAAApIEAAAAAdG9TdHJpbmdVVA0AB3Bje2BmY3tgcGN7YHV4CwABBPUBAAAEFAAAAFBLAQIUAxQACAAIAMO8kVIAAAAAAgAAAAAAAAAIACAAAAAAAAAAAACkgVgAAABmaWxlLnR4dFVUDQAHT2N7YOBSe2BPY3tgdXgLAAEE9QEAAAQUAAAAUEsFBgAAAAACAAIArAAAALAAAAAAAA==', 'base64');

const zip = await jszip.loadAsync(demoZip);
zip.files.toString(); // this will throw
return zip;
}
loadZip();

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade jszip to version 3.7.0 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

POC

var lo = require('lodash');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var s = build_blank(50000)
var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0)

var time1 = Date.now();
lo.toNumber(s)
var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1)

var time2 = Date.now();
lo.trimEnd(s)
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2)

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade lodash to version 4.17.21 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: marked
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 marked@0.6.2

Overview

marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when passing unsanitized user input to inline.reflinkSearch, if it is not being parsed by a time-limited worker thread.

PoC

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade marked to version 4.0.10 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: marked
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 marked@0.6.2

Overview

marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when unsanitized user input is passed to block.def.

PoC

import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade marked to version 4.0.10 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: marked
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 marked@0.6.2

Overview

marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The package may take exponentially quadratic time when parsing malformed input due to the _label subrule using back ticks. This vulnerability was introduced in release 0.4.0 of the package.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade marked to version 0.7.0 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: semver
  • Introduced through: botframework-connector@4.23.0, botbuilder@4.23.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 semver@2.3.2
    Remediation: Open PR to patch semver@2.3.2.

Overview

semver is a semantic version parser used by npm.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The semver module uses regular expressions when parsing a version string. For a carefully crafted input, the time it takes to process these regular expressions is not linear to the length of the input. Since the semver module did not enforce a limit on the version string length, an attacker could provide a long string that would take up a large amount of resources, potentially taking a server down. This issue therefore enables a potential Denial of Service attack.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade semver to version 4.3.2 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: xlsx
  • Introduced through: @nosferatu500/textract@3.1.3, node-nlp@4.27.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d @nosferatu500/textract@3.1.3 xlsx@0.18.5
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d node-nlp@4.27.0 @nlpjs/xtables@4.25.0 xlsx@0.18.5
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12

Overview

xlsx is a Parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Prototype Pollution when reading specially crafted files.

Note:

  1. The issue is resolved in version 0.19.3 of SheetJS that is distributed only via the authoritative source for SheetJS modules. See this issue (https://github.com/SheetJS/sheetjs/issues/2667) for full details.

  2. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

A fix was pushed into the master branch but not yet published.

References

Prototype Pollution vulnerability report

medium severity

Prototype Pollution

  • Vulnerable module: xml2js
  • Introduced through: docximager@0.0.4, @nosferatu500/textract@3.1.3 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d docximager@0.0.4 xml2js@0.4.23
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d @nosferatu500/textract@3.1.3 epub2@1.3.8 xml2js@0.4.23
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 epub2@1.3.4 xml2js@0.4.23

Overview

Affected versions of this package are vulnerable to Prototype Pollution due to allowing an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

PoC

var parseString = require('xml2js').parseString;

let normal_user_request    = "<role>admin</role>";
let malicious_user_request = "<__proto__><role>admin</role></__proto__>";

const update_user = (userProp) => {
    // A user cannot alter his role. This way we prevent privilege escalations.
    parseString(userProp, function (err, user) {
        if(user.hasOwnProperty("role") && user?.role.toLowerCase() === "admin") {
            console.log("Unauthorized Action");
        } else {
            console.log(user?.role[0]);
        }
    });
}

update_user(normal_user_request);
update_user(malicious_user_request);

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

  • Unsafe Object recursive merge

  • Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Type Origin Short description
Denial of service (DoS) Client This is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution Client Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection Client The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

  • Application server

  • Web server

  • Web browser

How to prevent

  1. Freeze the prototype— use Object.freeze (Object.prototype).

  2. Require schema validation of JSON input.

  3. Avoid using unsafe recursive merge functions.

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

  5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade xml2js to version 0.5.0 or higher.

References

Prototype Pollution vulnerability report

medium severity
new

Arbitrary Code Injection

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@35.7.5.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Injection via modification of the resources folder when the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses are enabled. An attacker can execute unauthorized code by altering files within the application directory, bypassing ASAR integrity checks.

Note: This is only exploitable if the application is launched from a filesystem to which the attacker has write access.

Remediation

Upgrade electron to version 35.7.5, 36.8.1, 37.3.1, 38.0.0-beta.6 or higher.

References

Arbitrary Code Injection vulnerability report

medium severity

Uninitialized Memory Exposure

  • Vulnerable module: bl
  • Introduced through: botframework-connector@4.23.0, botbuilder@4.23.0 and others

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-azure@4.23.0 botbuilder@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d botlib@5.0.0 botbuilder-ai@4.23.0 botbuilder-dialogs-declarative@4.23.0-preview botbuilder-dialogs@4.23.0 botbuilder-core@4.23.0 botframework-connector@4.23.0 browserify-fs@1.0.0 levelup@0.18.6 bl@0.8.2

Overview

bl is a storage object for collections of Node Buffers.

A possible memory disclosure vulnerability exists when a value of type number is provided to the append() method and results in concatenation of uninitialized memory to the buffer collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

Details

Constructing a Buffer class with integer N creates a Buffer of length N with raw (not "zero-ed") memory.

In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100":

// uninitialized Buffer of length 100
x = new Buffer(100);
// initialized Buffer with value of '100'
x = new Buffer('100');

bl's append function uses the default Buffer constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous Heartbleed flaw in OpenSSL.

const BufferList = require('bl')

var bl = new BufferList()
bl.append(new Buffer('abcd'))
bl.append(new Buffer('efg'))
bl.append('100')
// appends a Buffer holding 100 bytes of uninitialized memory
bl.append(100)                     
bl.append(new Buffer('j'))

You can read more about the insecure Buffer behavior on our blog.

Similar vulnerabilities were discovered in request, mongoose, ws and sequelize.

Note This is vulnerable only for Node <=4

References

Uninitialized Memory Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8 and electron@32.0.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d electron@32.0.1
    Remediation: Upgrade to electron@36.3.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure via the Loader component. An attacker can leak sensitive cross-origin data by crafting a malicious HTML page.

Remediation

Upgrade electron to version 36.3.0 or higher.

References

Information Exposure vulnerability report

medium severity

Cross-site Scripting

  • Vulnerable module: express
  • Introduced through: express@4.19.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2
    Remediation: Upgrade to express@4.20.0.

Overview

express is a minimalist web framework.

Affected versions of this package are vulnerable to Cross-site Scripting due to improper handling of user input in the response.redirect method. An attacker can execute arbitrary code by passing malicious input to this method.

Note

To exploit this vulnerability, the following conditions are required:

  1. The attacker should be able to control the input to response.redirect()

  2. express must not redirect before the template appears

  3. the browser must not complete redirection before:

  4. the user must click on the link in the template

Remediation

Upgrade express to version 4.20.0, 5.0.0 or higher.

References

Cross-site Scripting vulnerability report

medium severity

Open Redirect

  • Vulnerable module: koa
  • Introduced through: koa@2.15.3

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d koa@2.15.3
    Remediation: Upgrade to koa@2.16.2.

Overview

koa is a Koa web app framework

Affected versions of this package are vulnerable to Open Redirect via the back function in lib/response.js which uses the user-controllable referrer header as the redirect target. An attacker can redirect users to arbitrary external sites by manipulating the Referrer argument.

Remediation

Upgrade koa to version 2.16.2, 3.0.1 or higher.

References

Open Redirect vulnerability report

medium severity
new

Open Redirect

  • Vulnerable module: koa
  • Introduced through: koa@2.15.3

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d koa@2.15.3

Overview

koa is a Koa web app framework

Affected versions of this package are vulnerable to Open Redirect via the redirect function in lib/response.js due to improper input sanitization. An attacker can redirect users to arbitrary external sites by exploiting this vulnerability.

Remediation

A fix was pushed into the master branch but not yet published.

References

Open Redirect vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: mem
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 yargs@8.0.2 os-locale@2.1.0 mem@1.1.0

Overview

mem is an optimization used to speed up consecutive function calls by caching the result of calls with identical input.

Affected versions of this package are vulnerable to Denial of Service (DoS). Old results were deleted from the cache and could cause a memory leak.

details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade mem to version 4.0.0 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Blink component in chromium.

Remediation

Upgrade electron to version 9.4.2, 10.3.1, 11.2.2 or higher.

References

Use After Free vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Input Validation due to insufficient data validation that exists in V8.

Remediation

Upgrade electron to version 10.4.4, 12.0.6 or higher.

References

Improper Input Validation vulnerability report

medium severity
new

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: yarn
  • Introduced through: yarn@1.22.22

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d yarn@1.22.22

Overview

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the setOptions function in the src/util/request-manager.js file. An attacker can cause resource exhaustion by supplying crafted input that triggers excessive backtracking.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

There is no fixed version for yarn.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: lodash
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 lodash@3.10.1

Overview

lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade lodash to version 4.17.11 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Exposure of Resource to Wrong Sphere

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere. Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Remediation

Upgrade electron to version 14.1.1, 13.5.2, 12.2.2 or higher.

References

Exposure of Resource to Wrong Sphere vulnerability report

medium severity

Improper Access Control

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control. Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

Remediation

Upgrade electron to version 14.1.1, 13.5.2, 12.2.2 or higher.

References

Improper Access Control vulnerability report

medium severity

Improper Authentication

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Authentication by allowing the creation of cookies that have an empty name field and whose value impersonates a cookie name prefix.

Note:

Upgrading to the fixed version will delete any previously stored cookies that meet the conditions by causing them to fail their IsCanonical() check.

Remediation

Upgrade electron to version 18.3.11 or higher.

References

Improper Authentication vulnerability report

medium severity

Improper implementation

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper implementation in Compositing.

Remediation

Upgrade electron to version 15.5.3, 16.2.4 or higher.

References

Improper implementation vulnerability report

medium severity

Exposure of Sensitive Information to an Unauthorized Actor

  • Vulnerable module: phin
  • Introduced through: svg2img@1.0.0-beta.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d svg2img@1.0.0-beta.2 jimp@0.16.13 @jimp/custom@0.16.13 @jimp/core@0.16.13 phin@2.9.3

Overview

phin is a The ultra-lightweight Node.js HTTP client

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor due to the handling of HTTP headers during redirects when followRedirects is enabled. An attacker can potentially intercept sensitive information by exploiting how headers are included in outgoing requests after a redirect.

Remediation

Upgrade phin to version 3.7.1 or higher.

References

Exposure of Sensitive Information to an Unauthorized Actor vulnerability report

medium severity

MPL-2.0 license

  • Module: @resvg/resvg-js
  • Introduced through: svg2img@1.0.0-beta.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d svg2img@1.0.0-beta.2 @resvg/resvg-js@2.6.2

MPL-2.0 license

MPL-2.0 license vulnerability report

medium severity

LGPL-3.0 license

  • Module: harmony-proxy
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 data-forge@0.5.3 promised-mongo@1.2.0 harmony-proxy@0.0.2

LGPL-3.0 license

LGPL-3.0 license vulnerability report

medium severity

LGPL-2.1 license

  • Module: jschardet
  • Introduced through: @nosferatu500/textract@3.1.3 and textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d @nosferatu500/textract@3.1.3 jschardet@3.0.0
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 jschardet@1.4.1

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

LGPL-2.1 license

  • Module: mariadb
  • Introduced through: mariadb@3.3.1

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d mariadb@3.3.1

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

Artistic-2.0 license

  • Module: npm
  • Introduced through: npm@10.8.3

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d npm@10.8.3

Artistic-2.0 license

Artistic-2.0 license vulnerability report

low severity

Out Of Bounds Read

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out Of Bounds Read. Blit11 would clip the destination rectangle with the destination size but ignore the result. gl::ClipRectangle returns false when the rectangles do not intersect at all, indicating the blit can be skipped.

Remediation

Upgrade electron to version 10.4.4, 11.4.4, 12.0.6 or higher.

References

Out Of Bounds Read vulnerability report

low severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: harb
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 harb@0.0.7

Overview

harb is a parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 40k characters long.

Disclosure Timeline

  • Feb 19th, 2018 - Initial Disclosure to package owner
  • Feb 19th, 2018 - Initial Response from package owner
  • Feb 21th, 2018 - Fix issued
  • Feb 22th, 2018 - Vulnerability published

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

There is no fix for harb, as this package is now maintained as xlsx.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

low severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: xlsx
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12

Overview

xlsx is a Parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 2 seconds matching time for data 50k characters long. This vulnerability is due to an incomplete fix for SNYK-JS-XLSX-10909.

Note:

xlsx package after version 0.18.5 is distributed only via the authoritative source for SheetJS modules. See this issue (https://github.com/SheetJS/sheetjs/issues/2667) for full details.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade xlsx to version 0.16.0 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

low severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: xlsx
  • Introduced through: textract@2.5.0

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d textract@2.5.0 j@0.4.3 xlsx@0.7.12

Overview

xlsx is a parser and writer for various spreadsheet formats.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 40k characters long.

Disclosure Timeline

  • Feb 19th, 2018 - Initial Disclosure to package owner
  • Feb 19th, 2018 - Initial Response from package owner
  • Feb 21th, 2018 - Fix issued
  • Feb 22th, 2018 - Vulnerability published

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade xlsx to verson 0.12.2 or higher

References

Note:

xlsx package after version 0.18.5 is distributed only via the authoritative source for SheetJS modules. See this issue (https://github.com/SheetJS/sheetjs/issues/2667) for full details.

Regular Expression Denial of Service (ReDoS) vulnerability report

low severity

Improper Access Control

  • Vulnerable module: electron
  • Introduced through: c3-chart-maker@0.2.8

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d c3-chart-maker@0.2.8 nightmare@2.10.0 electron@1.8.8

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control via the web Bluetooth API, if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

Workarounds:

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

Remediation

Upgrade electron to version 13.6.6, 14.2.4, 15.3.5, 16.0.6, 17.0.0-alpha.6 or higher.

References

Improper Access Control vulnerability report

low severity

Cross-site Scripting (XSS)

  • Vulnerable module: koa
  • Introduced through: koa@2.15.3

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d koa@2.15.3
    Remediation: Upgrade to koa@2.16.1.

Overview

koa is a Koa web app framework

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ctx.redirect() function. An attacker can execute scripts on the user's browser or redirect users to malicious sites by supplying malicious input as an achor reference.

Workaround

This vulnerability can be mitigated by ensuring all user-supplied URLs are properly sanitized before being passed to ctx.redirect.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade koa to version 2.16.1, 3.0.0-alpha.5 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity

SQL Injection

  • Vulnerable module: langchain
  • Introduced through: @langchain/community@0.2.31 and langchain@0.2.17

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d @langchain/community@0.2.31 langchain@0.2.20
    Remediation: Upgrade to @langchain/community@0.3.0.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d langchain@0.2.17
    Remediation: Upgrade to langchain@0.3.3.

Overview

langchain is a Typescript bindings for langchain

Affected versions of this package are vulnerable to SQL Injection via the default configuration of the GraphCypherQAChain class, by manipulating entities in the graph database through prompt injection.

Remediation

Upgrade langchain to version 0.3.3 or higher.

References

SQL Injection vulnerability report

low severity

Cross-site Scripting

  • Vulnerable module: send
  • Introduced through: express@4.19.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2 send@0.18.0
    Remediation: Upgrade to express@4.20.0.
  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2 serve-static@1.15.0 send@0.18.0
    Remediation: Upgrade to express@4.21.0.

Overview

send is a Better streaming static file server with Range and conditional-GET support

Affected versions of this package are vulnerable to Cross-site Scripting due to improper user input sanitization passed to the SendStream.redirect() function, which executes untrusted code. An attacker can execute arbitrary code by manipulating the input parameters to this method.

Note:

Exploiting this vulnerability requires the following:

  1. The attacker needs to control the input to response.redirect()

  2. Express MUST NOT redirect before the template appears

  3. The browser MUST NOT complete redirection before

  4. The user MUST click on the link in the template

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade send to version 0.19.0, 1.1.0 or higher.

References

Cross-site Scripting vulnerability report

low severity

Cross-site Scripting

  • Vulnerable module: serve-static
  • Introduced through: express@4.19.2

Detailed paths

  • Introduced through: botserver@GeneralBots/BotServer#b5bf44fd707939c907bcf4aab3c3218dc6a5095d express@4.19.2 serve-static@1.15.0
    Remediation: Upgrade to express@4.20.0.

Overview

serve-static is a server.

Affected versions of this package are vulnerable to Cross-site Scripting due to improper sanitization of user input in the redirect function. An attacker can manipulate the redirection process by injecting malicious code into the input.

Note

To exploit this vulnerability, the following conditions are required:

  1. The attacker should be able to control the input to response.redirect()

  2. express must not redirect before the template appears

  3. the browser must not complete redirection before:

  4. the user must click on the link in the template

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade serve-static to version 1.16.0, 2.1.0 or higher.

References

Cross-site Scripting vulnerability report