Use After Free

Affecting puppeteer package, versions <1.13.0

Do your applications use this vulnerable package? Test your applications

Overview

puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol.

Affected versions of this package are vulnerable to a Use After Free via the Chromium implementation of the FileReader API which could lead to code execution.

Remediation

Upgrade puppeteer to version 1.13.0 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Credit
joelgriffith
CVE
CVE-2019-5786
CWE
CWE-416
Snyk ID
SNYK-JS-PUPPETEER-174321
Disclosed
08 Mar, 2019
Published
15 Apr, 2019