Vulnerabilities

4 via 4 paths

Dependencies

137

Source

GitHub

Commit

64a8c671

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity

Insecure Randomness

  • Vulnerable module: undici
  • Introduced through: mercurius@13.4.1

Detailed paths

  • Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 mercurius@13.4.1 undici@5.28.3
    Remediation: Upgrade to mercurius@14.1.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Insecure Randomness due to the use of Math.random(), an insufficiently random value generator, for boundary selection in multipart/form-data requests. An attacker can predict the boundary values and manipulate multipart requests by intercepting and analyzing multiple requests to deduce the random generator pattern.

Note:

This is only exploitable if multipart requests are sent to an attacker-controlled server.

Remediation

Upgrade undici to version 5.28.5, 6.21.1, 7.2.3 or higher.

References

low severity

Improper Authorization

  • Vulnerable module: undici
  • Introduced through: mercurius@13.4.1

Detailed paths

  • Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 mercurius@13.4.1 undici@5.28.3
    Remediation: Upgrade to mercurius@14.1.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Improper Authorization due to improper handling of Proxy-Authorization headers during cross-origin redirects in certain methods. An attacker can exploit this behavior by inducing a victim to make a request that triggers a cross-origin redirect, potentially leaking sensitive information contained in the Proxy-Authorization header.

Remediation

Upgrade undici to version 5.28.4, 6.11.1 or higher.

References

low severity

Improper Access Control

  • Vulnerable module: undici
  • Introduced through: mercurius@13.4.1

Detailed paths

  • Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 mercurius@13.4.1 undici@5.28.3
    Remediation: Upgrade to mercurius@14.1.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Improper Access Control due to the integrity option passed to fetch(). An attacker can alter this option, allowing fetch() to accept requests as valid even if they have been tampered with.

Remediation

Upgrade undici to version 5.28.4, 6.11.1 or higher.

References

low severity

Missing Release of Memory after Effective Lifetime

  • Vulnerable module: undici
  • Introduced through: mercurius@13.4.1

Detailed paths

  • Introduced through: @aiswarm/api-graphql@aiswarm/api-graphql#64a8c671bbd79650897bd4fd2b9ce7b4d7ffa041 mercurius@13.4.1 undici@5.28.3
    Remediation: Upgrade to mercurius@14.1.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper handling of invalid certificate data. An attacker can cause a memory leak by setting up a server with a bad certificate and inducing the application to repeatedly call a webhook-like system.

Remediation

Upgrade undici to version 5.29.0, 6.21.2, 7.5.0 or higher.

References