Vulnerabilities

 1 via 1 paths

Dependencies

 105

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity
new

Use of Uninitialized Resource

  • Vulnerable module: ws
  • Introduced through: parse@8.6.0

Detailed paths

  • Introduced through: @parse/push-adapter@parse-community/parse-server-push-adapter parse@8.6.0 ws@8.20.0

Overview

ws is a simple to use websocket client, server and console for node.js.

Affected versions of this package are vulnerable to Use of Uninitialized Resource in the websocket.close() implementation in the Sender class, which exposes uninitialized memory when a TypedArray is provided as the reason argument.

Note: The project maintainers note that this "flaw is only exploitable through misuse that is unlikely in practice".

PoC

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

Remediation

Upgrade ws to version 8.20.1 or higher.

References

Use of Uninitialized Resource vulnerability report

medium severity

MPL-2.0 license

  • Module: web-push
  • Introduced through: web-push@3.6.7

Detailed paths

  • Introduced through: @parse/push-adapter@parse-community/parse-server-push-adapter web-push@3.6.7

MPL-2.0 license

MPL-2.0 license vulnerability report