Vulnerabilities

 5 via 20 paths

Dependencies

 424

Source

 GitHub

Commit

 6a2936a6

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 2
  • 3
Status
  • 5
  • 0
  • 0

high severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: ip
  • Introduced through: @salesforce/source-deploy-retrieve@7.15.1

Detailed paths

  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 proxy-agent@5.0.0 pac-proxy-agent@5.0.0 pac-resolver@5.0.1 ip@1.1.9

Overview

ip is a Node library.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the ip.isPublic() and ip.isPrivate() functions. An attacker can interact with internal network resources by supplying specially crafted IP address such as octal localhost format ("017700000001") that is incorrectly identified as public.

Note:

This issue exists because of an incomplete fix for CVE-2024-29415.

PoC

Test octal localhost bypass:

node -e "const ip=require('ip'); console.log('017700000001 bypass:', ip.isPublic('017700000001'));" - returns true

Remediation

There is no fixed version for ip.

References

Server-side Request Forgery (SSRF) vulnerability report

high severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: ip
  • Introduced through: @salesforce/source-deploy-retrieve@7.15.1

Detailed paths

  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 proxy-agent@5.0.0 pac-proxy-agent@5.0.0 pac-resolver@5.0.1 ip@1.1.9

Overview

ip is a Node library.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the ip.isPublic() and ip.isPrivate() functions. An attacker can interact with internal network resources by supplying specially crafted IP address such as null route ("0") that is being incorrectly identified as public.

Note: This issue exists because of an incomplete fix for CVE-2024-29415.

Exploit is only possible if the application and operating system interpret connection attempts to 0 or 0.0.0.0 as connections to 127.0.0.1.

PoC

Test null route bypass:

node -e "const ip=require('ip'); console.log('0 bypass:', ip.isPublic('0'));" - returns true

Remediation

There is no fixed version for ip.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity

Symlink Attack

  • Vulnerable module: tmp
  • Introduced through: @salesforce/core@3.36.2, @salesforce/command@5.3.9 and others

Detailed paths

  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/core@3.36.2 jsforce@2.0.0-beta.29 inquirer@7.3.3 external-editor@3.1.0 tmp@0.0.33
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/command@5.3.9 @salesforce/core@3.36.2 jsforce@2.0.0-beta.29 inquirer@7.3.3 external-editor@3.1.0 tmp@0.0.33
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 @salesforce/core@3.36.2 jsforce@2.0.0-beta.29 inquirer@7.3.3 external-editor@3.1.0 tmp@0.0.33

Overview

Affected versions of this package are vulnerable to Symlink Attack via the dir parameter. An attacker can cause files or directories to be written to arbitrary locations by supplying a crafted symbolic link that resolves outside the intended temporary directory.

PoC

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

Remediation

Upgrade tmp to version 0.2.4 or higher.

References

Symlink Attack vulnerability report

medium severity

Server-Side Request Forgery (SSRF)

  • Vulnerable module: ip
  • Introduced through: @salesforce/source-deploy-retrieve@7.15.1

Detailed paths

  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 proxy-agent@5.0.0 pac-proxy-agent@5.0.0 pac-resolver@5.0.1 ip@1.1.9

Overview

ip is a Node library.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the isPublic function, which identifies some private IP addresses as public addresses due to improper parsing of the input. An attacker can manipulate a system that uses isLoopback(), isPrivate() and isPublic functions to guard outgoing network requests to treat certain IP addresses as globally routable by supplying specially crafted IP addresses.

Note

This vulnerability derived from an incomplete fix for CVE-2023-42282

Remediation

There is no fixed version for ip.

References

Server-Side Request Forgery (SSRF) vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: inflight
  • Introduced through: @salesforce/core@3.36.2, @salesforce/source-deploy-retrieve@7.15.1 and others

Detailed paths

  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/core@3.36.2 archiver@5.3.2 archiver-utils@2.1.0 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 archiver@5.3.2 archiver-utils@2.1.0 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/core@3.36.2 @salesforce/kit@1.9.2 shx@0.3.4 shelljs@0.8.5 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/command@5.3.9 @salesforce/kit@1.9.2 shx@0.3.4 shelljs@0.8.5 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 @salesforce/kit@1.9.2 shx@0.3.4 shelljs@0.8.5 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/command@5.3.9 @salesforce/core@3.36.2 archiver@5.3.2 archiver-utils@2.1.0 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 @salesforce/core@3.36.2 archiver@5.3.2 archiver-utils@2.1.0 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/core@3.36.2 archiver@5.3.2 zip-stream@4.1.1 archiver-utils@3.0.4 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 archiver@5.3.2 zip-stream@4.1.1 archiver-utils@3.0.4 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 unzipper@0.10.11 fstream@1.0.12 rimraf@2.7.1 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/command@5.3.9 @salesforce/core@3.36.2 @salesforce/kit@1.9.2 shx@0.3.4 shelljs@0.8.5 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 @salesforce/core@3.36.2 @salesforce/kit@1.9.2 shx@0.3.4 shelljs@0.8.5 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/command@5.3.9 @salesforce/core@3.36.2 archiver@5.3.2 zip-stream@4.1.1 archiver-utils@3.0.4 glob@7.2.3 inflight@1.0.6
  • Introduced through: sf-codegen@dieffrei/sf-codegen#6a2936a6eb90439e21ba067c7711d6571011bd58 @salesforce/source-deploy-retrieve@7.15.1 @salesforce/core@3.36.2 archiver@5.3.2 zip-stream@4.1.1 archiver-utils@3.0.4 glob@7.2.3 inflight@1.0.6

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

Missing Release of Resource after Effective Lifetime vulnerability report