Vulnerabilities

 3 via 3 paths

Dependencies

 68

Source

 GitHub

Commit

 a64b3731

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 2
  • 1
Status
  • 3
  • 0
  • 0

high severity
new

Uncontrolled Recursion

  • Vulnerable module: underscore
  • Introduced through: jsonlint@1.6.3

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat#a64b37311bb0cf7747176e15f885c204d8a032df jsonlint@1.6.3 nomnom@1.8.1 underscore@1.6.0

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Uncontrolled Recursion through the _.flatten() or _.isEqual() functions that are used without a depth limit. An attacker can cause the application to crash or become unresponsive by supplying deeply nested data structures as input, leading to stack exhaustion.

Workaround

This vulnerability can be mitigated by enforcing a depth limit on data structures created from untrusted input (e.g., limiting nesting to 1000 levels or fewer), or by passing a finite depth limit as the second argument to the _.flatten() function.

Remediation

Upgrade underscore to version 1.13.8 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

Code Injection

  • Vulnerable module: lodash.template
  • Introduced through: gulp-util@3.0.8

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat#a64b37311bb0cf7747176e15f885c204d8a032df gulp-util@3.0.8 lodash.template@3.6.2

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Code Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References

Code Injection vulnerability report

medium severity

Arbitrary Code Injection

  • Vulnerable module: underscore
  • Introduced through: jsonlint@1.6.3

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat#a64b37311bb0cf7747176e15f885c204d8a032df jsonlint@1.6.3 nomnom@1.8.1 underscore@1.6.0

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References

Arbitrary Code Injection vulnerability report