Version Details and Security Vulnerabilities

Summary:

Code Injection in js-yaml

Details:

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is { toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1 which returns the object { "1553107949161": 1 }

Recommendation

Upgrade to version 3.13.1.

Summary:

js-yaml has prototype pollution in merge (<<)

Details:

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Details about underscore@1.7.0

Summary:

Arbitrary Code Execution in underscore

Details:

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

Marked ReDoS due to email addresses being evaluated in quadratic time

Details:

Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Recommendation

Upgrade to version 0.6.2 or later.

Details about highlight.js@8.0.0

Summary:

Prototype Pollution in highlight.js

Details:

Impact

Affected versions of this package are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable.

The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector.

If your website or application does not render user provided data it should be unaffected.

Patches

Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Workarounds

Patch your library

Manually patch your library to create null objects for both languages and aliases:

const HLJS = function(hljs) {
  // ...
  var languages = Object.create(null);
  var aliases = Object.create(null);

Filter out bad data from end users:

Filter the language names that users are allowed to inject into your HTML to guarantee they are valid.

References

What is Prototype Pollution?
https://github.com/highlightjs/highlight.js/pull/2636

For more information

If you have any questions or comments about this advisory:

Please file an issue against highlight.js

Summary:

Regular Expression Denial of Service in underscore.string

Details:

Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.

Recommendation

Upgrade to version 3.3.5 or higher.

Details about underscore.string@2.3.3

Summary:

minimatch ReDoS vulnerability

Details:

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Summary:

Regular Expression Denial of Service in moment

Details:

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update to version 2.19.3 or later.

Summary:

Regular Expression Denial of Service in moment

Details:

Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().

Proof of concept

var moment = require('moment');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=20000;i<=10000000;i=i+10000) {
    console.log("COUNT: " + i);
    var str = '-' + genstr(i, '1')
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    moment.duration(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]

Recommendation

Please update to version 2.11.2 or later.

Summary:

Path Traversal: 'dir/../../filename' in moment.locale

Details:

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in moment repo

Details about trim-newlines@1.0.0

Summary:

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Details:

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Details about ini@1.1.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.1 of the package gulp-verb.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.1 of the package

Summary:

Uncontrolled Resource Consumption in trim-newlines

Details:

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash.template@2.4.1

Summary:

Denial of Service in js-yaml

Details:

Recommendation

Upgrade to version 3.13.0.

Summary:

Code Injection in js-yaml

Details:

An example payload is { toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1 which returns the object { "1553107949161": 1 }

Recommendation

Upgrade to version 3.13.1.

Summary:

js-yaml has prototype pollution in merge (<<)

Details:

Impact

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Details about underscore@1.7.0

Summary:

Arbitrary Code Execution in underscore

Details:

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.11 or later.

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.5 or later.

Summary:

Prototype Pollution in lodash

Details:

Recommendation

Update to version 4.17.12 or later.

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

Marked ReDoS due to email addresses being evaluated in quadratic time

Details:

Recommendation

Upgrade to version 0.6.2 or later.

Details about highlight.js@8.0.0

Summary:

Prototype Pollution in highlight.js

Details:

Impact

If your website or application does not render user provided data it should be unaffected.

Patches

Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Workarounds

Patch your library

Manually patch your library to create null objects for both languages and aliases:

const HLJS = function(hljs) {
  // ...
  var languages = Object.create(null);
  var aliases = Object.create(null);

Filter out bad data from end users:

Filter the language names that users are allowed to inject into your HTML to guarantee they are valid.

References

What is Prototype Pollution?
https://github.com/highlightjs/highlight.js/pull/2636

For more information

If you have any questions or comments about this advisory:

Please file an issue against highlight.js

Summary:

Regular Expression Denial of Service in underscore.string

Details:

Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.

Recommendation

Upgrade to version 3.3.5 or higher.

Details about underscore.string@2.3.3

Summary:

minimatch ReDoS vulnerability

Details:

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Summary:

Regular Expression Denial of Service in moment

Details:

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update to version 2.19.3 or later.

Summary:

Regular Expression Denial of Service in moment

Details:

Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().

Proof of concept

var moment = require('moment');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=20000;i<=10000000;i=i+10000) {
    console.log("COUNT: " + i);
    var str = '-' + genstr(i, '1')
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    moment.duration(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]

Recommendation

Please update to version 2.11.2 or later.

Summary:

Path Traversal: 'dir/../../filename' in moment.locale

Details:

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in moment repo