Vulnerabilities

 3 via 3 paths

Dependencies

 6

Source

 GitHub

Commit

 b642752d

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 2
Status
  • 3
  • 0
  • 0

high severity
new

Uncontrolled Recursion

  • Vulnerable module: underscore
  • Introduced through: express-brute@1.0.1

Detailed paths

  • Introduced through: express-brute-loki@requarks/express-brute-loki#b642752d0c1129a791d02138a8141ce2bc201620 express-brute@1.0.1 underscore@1.8.3

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Uncontrolled Recursion through the _.flatten() or _.isEqual() functions that are used without a depth limit. An attacker can cause the application to crash or become unresponsive by supplying deeply nested data structures as input, leading to stack exhaustion.

Workaround

This vulnerability can be mitigated by enforcing a depth limit on data structures created from untrusted input (e.g., limiting nesting to 1000 levels or fewer), or by passing a finite depth limit as the second argument to the _.flatten() function.

Remediation

Upgrade underscore to version 1.13.8 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

Rate Limiting Bypass

  • Vulnerable module: express-brute
  • Introduced through: express-brute@1.0.1

Detailed paths

  • Introduced through: express-brute-loki@requarks/express-brute-loki#b642752d0c1129a791d02138a8141ce2bc201620 express-brute@1.0.1

Overview

express-brute is a brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.

Affected versions of this package are vulnerable to Rate Limiting Bypass due to incorrectly counting the number of requests sent, this allows an attacker to bypass the rate-limiting mechanism.

Remediation

There is no fixed version for express-brute.

References

Rate Limiting Bypass vulnerability report

medium severity

Arbitrary Code Injection

  • Vulnerable module: underscore
  • Introduced through: express-brute@1.0.1

Detailed paths

  • Introduced through: express-brute-loki@requarks/express-brute-loki#b642752d0c1129a791d02138a8141ce2bc201620 express-brute@1.0.1 underscore@1.8.3

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References

Arbitrary Code Injection vulnerability report