wstunnel@1.1.2

Vulnerabilities

2 via 3 paths

Dependencies

9

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity

Insecure Randomness

  • Vulnerable module: node-uuid
  • Introduced through: node-uuid@1.4.1 and machine-uuid@1.0.7

Detailed paths

  • Introduced through: wstunnel@1.1.2 node-uuid@1.4.1
    Remediation: Upgrade to wstunnel@1.2.6.
  • Introduced through: wstunnel@1.1.2 machine-uuid@1.0.7 node-uuid@1.4.1
    Remediation: Upgrade to wstunnel@1.2.3.

Overview

node-uuid is a Simple, fast generation of RFC4122 UUIDS.

Affected versions of this package are vulnerable to Insecure Randomness. It uses the cryptographically insecure Math.random which can produce predictable values and should not be used in security-sensitive context.

Remediation

Upgrade node-uuid to version 1.4.4 or greater.

References

medium severity

Arbitrary Code Injection

  • Vulnerable module: underscore
  • Introduced through: underscore@1.4.4

Detailed paths

  • Introduced through: wstunnel@1.1.2 underscore@1.4.4
    Remediation: Upgrade to underscore@1.12.1.

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References