Vulnerabilities

 1 via 1 paths

Dependencies

 365

Source

 GitHub

Commit

 bc9aa37c

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: express-rate-limit
  • Introduced through: express-rate-limit@8.2.1

Detailed paths

  • Introduced through: parse-server@parse-community/parse-server#bc9aa37c8509c425701726c4cb40bfa367906f19 express-rate-limit@8.2.1
    Remediation: Upgrade to express-rate-limit@8.2.2.

Overview

express-rate-limit is a Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ipKeyGenerator function when handling IPv4-mapped IPv6 addresses on dual-stack servers. An attacker can cause all IPv4 clients to be rate-limited simultaneously by exhausting the shared rate limit bucket through repeated requests from a single IPv4 client.

Remediation

Upgrade express-rate-limit to version 8.0.2, 8.1.1, 8.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

MPL-2.0 license

  • Module: web-push
  • Introduced through: @parse/push-adapter@8.3.1

Detailed paths

  • Introduced through: parse-server@parse-community/parse-server#bc9aa37c8509c425701726c4cb40bfa367906f19 @parse/push-adapter@8.3.1 web-push@3.6.7

MPL-2.0 license

MPL-2.0 license vulnerability report