Showing 33 of 33 total issues
negotiator
Regular Expression Denial of Service Open
"negotiator": {
"version": "0.5.3",
"resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz",
"integrity": "sha1-Jp1cR2gQ7JLtvntsLygxY4T5p+g=",
"dev": true
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.
The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Timeline
- April 29th 2016 - Initial report to maintainers
- April 29th 2016 - Confirm receipt from maintainers
- May 1st 2016 - Fix confirmed
- May 5th 2016 - 0.6.1 published with fix
- June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)
Recommendation:
Upgrade to at least version 0.6.1
Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages
function call in your application will tell you if you are using this functionality.
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz",
"integrity": "sha1-J12O2qxPG7MyZHIInnlJyDlGmd0=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "2.0.10",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz",
"integrity": "sha1-jQh8OcazjAAbl/ynzm0OHoCvusc=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
mime
Regular Expression Denial of Service Open
"mime": {
"version": "1.3.4",
"resolved": "https://registry.npmjs.org/mime/-/mime-1.3.4.tgz",
"integrity": "sha1-EV+eO2s9rylZmDyzjxSaLUDrXVM=",
"dev": true
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Recommendation:
Upgrade to version 2.0.3 or greater.
Avoid too many return
statements within this function. Open
return new PluralFormat(
element.id, format.ordinal, format.offset, options, pluralFn
);
cli
Arbitrary File Write Open
"cli": {
"version": "0.6.6",
"resolved": "https://registry.npmjs.org/cli/-/cli-0.6.6.tgz",
"integrity": "sha1-Aq1Eo4Cr8nraxebwzdewQ9dMU+M=",
"dev": true,
- Read upRead up
- Exclude checks
Arbitrary File Write
Overview:
lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';
The package node-cli
insecurely uses the lockfile and logfile. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
Recommendation:
Update to version 1.0.0 or later
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz",
"integrity": "sha1-J12O2qxPG7MyZHIInnlJyDlGmd0=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.2.14",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz",
"integrity": "sha1-x054BXT2PG+aCQ6Q775u9TpqdWo=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
debug
Regular Expression Denial of Service Open
"debug": {
"version": "2.2.0",
"resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz",
"integrity": "sha1-+HBX6ZWxofauaklgZkE3vFbwOdo=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o
formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Recommendation:
Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz",
"integrity": "sha1-J12O2qxPG7MyZHIInnlJyDlGmd0=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
minimatch
Regular Expression Denial of Service Open
"minimatch": {
"version": "2.0.10",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz",
"integrity": "sha1-jQh8OcazjAAbl/ynzm0OHoCvusc=",
"dev": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
is vulnerable to ReDoS in the pattern
parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,
. The problematic portion of the regex is ((?:\\{2})*)
which matches against \\
.
A proof of concept is as follows: ``` var minimatch = require(“minimatch”);
// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }
var exploit = “[!” + genstr(1000000, “\”) + “A”;
// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```
Recommendation:
Updated to version 3.0.2 or greater
fresh
Regular Expression Denial of Service Open
"fresh": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz",
"integrity": "sha1-ZR+DjiJCTnVm3hYdg1jKoZn4PU8=",
"dev": true
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
Fresh is a module used by the Express.js framework for 'HTTP response freshness testing'. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Recommendation:
If you are using this module via express, upgrade to Express version 4.15.5 or greater.
Upgrade to 0.5.2 or greater
TODO found Open
// TODO: Provide anything else?
- Exclude checks