Vulnerabilities

 2 via 2 paths

Dependencies

 274

Source

 GitHub

Commit

 343e7de7

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Cross-site Request Forgery (CSRF)

  • Vulnerable module: axios
  • Introduced through: node-ical@0.16.1

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#343e7de7bd295a69e68e4ee520552e0785a99e1c node-ical@0.16.1 axios@1.4.0
    Remediation: Upgrade to node-ical@0.17.0.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.

Remediation

Upgrade axios to version 1.6.0 or higher.

References

Cross-site Request Forgery (CSRF) vulnerability report

medium severity
new

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: inflight
  • Introduced through: eslint@8.55.0

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#343e7de7bd295a69e68e4ee520552e0785a99e1c eslint@8.55.0 file-entry-cache@6.0.1 flat-cache@3.2.0 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

Missing Release of Resource after Effective Lifetime vulnerability report