Sign upLogin

luma/wtf-sdp

View on GitHub
Star
npm-shrinkwrap.json

Summary

Maintainability
Test Coverage

tough-cookie ReDoS via long string of semicolons
Open

        "tough-cookie": {
          "version": "2.2.2",
          "from": "tough-cookie@~2.2.0",
          "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS via long string of semicolons

Overview:

Tough-cookie is a cookie parsing and management library.

Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.

Recommendation:

Upgrade to at least version 2.3.0

tough-cookie Regular Expression Denial of Service
Open

        "tough-cookie": {
          "version": "2.2.2",
          "from": "tough-cookie@~2.2.0",
          "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTPMAXHEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable

Recommendation:

Please update to version 2.3.3 or greater

tough-cookie Regular Expression Denial of Service
Open

        "tough-cookie": {
          "version": "2.2.2",
          "from": "tough-cookie@~2.2.0",
          "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.

Unless node was compiled using the -DHTTPMAXHEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.

At the time of writing all version <=2.3.2 are vulnerable

Recommendation:

Please update to version 2.3.3 or greater

brace-expansion ReDoS
Open

    "brace-expansion": {
      "version": "1.1.3",
      "from": "brace-expansion@>=1.0.0 <2.0.0",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.3.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

growl Command Injection
Open

    "growl": {
      "version": "1.8.1",
      "from": "growl@1.8.1",
      "resolved": "https://registry.npmjs.org/growl/-/growl-1.8.1.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Command Injection

Overview:

Growl adds growl notification support to nodejs.

Growl does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Recommendation:

Update to version 1.10.2 or greater

debug Regular Expression Denial of Service
Open

    "debug": {
      "version": "2.2.0",
      "from": "debug@>=2.1.1 <3.0.0",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "3.0.0",
          "from": "minimatch@>=3.0.0 <4.0.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.0.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

tough-cookie ReDoS via long string of semicolons
Open

        "tough-cookie": {
          "version": "2.2.2",
          "from": "tough-cookie@~2.2.0",
          "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.2.2.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS via long string of semicolons

Overview:

Tough-cookie is a cookie parsing and management library.

Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time.

Recommendation:

Upgrade to at least version 2.3.0

brace-expansion ReDoS
Open

    "brace-expansion": {
      "version": "1.1.3",
      "from": "brace-expansion@>=1.0.0 <2.0.0",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.3.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "3.0.0",
          "from": "minimatch@>=3.0.0 <4.0.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.0.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

brace-expansion ReDoS
Open

    "brace-expansion": {
      "version": "1.1.3",
      "from": "brace-expansion@>=1.0.0 <2.0.0",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.3.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

ReDoS

Overview:

brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation:

Upgrade to version 1.1.7 or later.

minimatch Regular Expression Denial of Service
Open

    "minimatch": {
      "version": "2.0.10",
      "from": "minimatch@>=2.0.3 <3.0.0",
      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

minimatch Regular Expression Denial of Service
Open

        "minimatch": {
          "version": "3.0.0",
          "from": "minimatch@>=3.0.0 <4.0.0",
          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.0.tgz"
        },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against \\.

A proof of concept is as follows: ``` var minimatch = require(“minimatch”);

// utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = “[!” + genstr(1000000, “\”) + “A”;

// minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ```

Recommendation:

Updated to version 3.0.2 or greater

debug Regular Expression Denial of Service
Open

    "debug": {
      "version": "2.2.0",
      "from": "debug@>=2.1.1 <3.0.0",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz"
    },
Severity: Minor
Found in npm-shrinkwrap.json by nodesecurity

Regular Expression Denial of Service

Overview:

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Recommendation:

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

There are no issues that match your filters.

Category
Status