webtorrent@0.72.0 vulnerabilities

Streaming torrent client

Direct Vulnerabilities

Known vulnerabilities in the webtorrent package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Cross-site Scripting (XSS)

webtorrent is a streaming torrent client for node.js and the browser.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context. The WebTorrent HTTP server only allows fetching data pieces from the torrent allowing attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain.

How to fix Cross-site Scripting (XSS)?

Upgrade webtorrent to version 0.107.6 or higher.

<0.107.6
  • L
DNS Rebinding

webtorrent is a streaming torrent client for node.js and the browser.

Affected versions of this package are vulnerable to DNS Rebinding. When the request hostname does not match the user-provided opts.hostname value. It omits the Access-Control-Allow-Origin header, instead of stop processing the request and return nothing.

How to fix DNS Rebinding?

Upgrade webtorrent to version 0.105.2 or higher.

<0.105.2