Vulnerabilities

3 via 3 paths

Dependencies

134

Source

GitHub

Commit

904a84b5

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
  • 1
Status
  • 3
  • 0
  • 0

high severity

Heap-based Buffer Overflow

  • Vulnerable module: node-libcurl
  • Introduced through: node-libcurl@4.0.0

Detailed paths

  • Introduced through: sync-request-curl@nktnet1/sync-request-curl#904a84b5e739ed1a7577eb5dfd4b2553c9b4b08c node-libcurl@4.0.0

Overview

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the SOCKS5 proxy handshake process when the hostname is longer than the target buffer and larger than 255 bytes. The local variable socks5_resolve_local could get the wrong value during a slow SOCKS5 handshake. Since the code wrongly thinks it should pass on the hostname, even though the hostname is too long to fit, the memory copy can overflow the allocated target buffer.

This is only exploitable if the SOCKS5 handshake is slow enough to trigger a local variable bug and the client uses a hostname longer than the download buffer.

Exploiting this vulnerability could allow an attacker to execute arbitrary code on the target system under certain conditions.

Note:

An overflow is only possible in applications that don't set CURLOPT_BUFFERSIZE or set it smaller than 65541. Since the curl tool sets CURLOPT_BUFFERSIZE to 100kB by default, it is not vulnerable unless the user sets the rate limiting to a rate smaller than 65541 bytes/second.

The options that cause SOCKS5 with remote hostname to be used in libcurl:

  1. CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME, or: CURLOPT_PROXY or CURLOPT_PRE_PROXY set to use the scheme socks5h://

  2. One of the proxy environment variables can be set to use the socks5h:// scheme. For example, http_proxy, HTTPS_PROXY or ALL_PROXY.

The options that cause SOCKS5 with remote hostname to be used in the curl tool:

  1. --socks5-hostname, --proxy or --preproxy set to use the scheme socks5h://

  2. Environment variables as described in the libcurl section.

Changelog:

2023-10-04: Initial publication

2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.

Remediation

There is no fixed version for node-libcurl.

References

medium severity

Missing Release of Resource after Effective Lifetime

  • Vulnerable module: inflight
  • Introduced through: node-libcurl@4.0.0

Detailed paths

  • Introduced through: sync-request-curl@nktnet1/sync-request-curl#904a84b5e739ed1a7577eb5dfd4b2553c9b4b08c node-libcurl@4.0.0 @mapbox/node-pre-gyp@1.0.11 rimraf@3.0.2 glob@7.2.3 inflight@1.0.6

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

low severity

External Control of File Name or Path

  • Vulnerable module: node-libcurl
  • Introduced through: node-libcurl@4.0.0

Detailed paths

  • Introduced through: sync-request-curl@nktnet1/sync-request-curl#904a84b5e739ed1a7577eb5dfd4b2553c9b4b08c node-libcurl@4.0.0

Overview

Affected versions of this package are vulnerable to External Control of File Name or Path via the curl_easy_duphandle function, allowing an attacker to insert cookies into a running program using this library.

When this function is used to duplicate an easy handle with cookies enabled, the cookie-enable state is also cloned. However, the actual cookies are not cloned, and if the source handle did not read any cookies from a specific file on disk, the cloned handle would store the file name as none. Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would inadvertently load cookies from a file named none.

Note:

This is only exploitable if a file named none exists and is readable in the current directory of the program using libcurl and in the correct file format.

Changelog:

2023-10-04: Initial publication

2023-10-11: Published updated information, including CWE, CVSS, official references and affected versions range.

Remediation

There is no fixed version for node-libcurl.

References