Homepage
About Snyk

Improper Input Validation Affecting kurwov package, versions >=3.1.0 <3.2.5

0.0
medium
0
10

Snyk CVSS

    Attack Complexity Low
    Availability High

    Threat Intelligence

    EPSS 0.05% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-KURWOV-6808831
  • published 5 May 2024
  • disclosed 3 May 2024
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 3 May 2024

New CVE-2024-34075 Open this link in a new tab
CWE-20 Open this link in a new tab

How to fix?

Upgrade kurwov to version 3.2.5 or higher.

Overview

kurwov is an a markov chain library

Affected versions of this package are vulnerable to Improper Input Validation due to improper data sanitization in the MarkovData#getNext method used in Markov#generate and Markov#choose. A maliciously crafted string in the dataset can cause the function to throw an error and stop running properly by exploiting the sanitization bypass when a forbidden substring followed by a space character is encountered. This leads to the data being defined as a special function found in its prototype instead of an array, and when data is indexed by a random number, it is supposed to return a string but returns undefined as it's a function, causing the endsWith call to throw.