Version Details and Security Vulnerabilities

📦

karma

0.8.7

Comparision Betweeen 0.8.7 and 0.8.6

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.8.7 Details

Karma is a popular JavaScript test runner used to execute tests in real browsers, making it an invaluable tool for ensuring code quality and cross-browser compatibility. Comparing versions 0.8.6 and 0.8.7, developers will find minimal differences in the core dependencies and development dependencies. Both versions rely on the same set of libraries such as 'q' for promises, 'glob' for file matching, 'socket.io' for communication, and testing frameworks like 'mocha', 'chai', and 'sinon'. This indicates a stable foundation for testing workflows.

The significant difference lies in their release dates, with version 0.8.7 being released approximately a month after 0.8.6. While specifics of the changes between these versions are not detailed in provided metadata, typically such minor version bumps (0.8.x) address bug fixes, performance improvements, or small feature enhancements. For developers, upgrading from 0.8.6 to 0.8.7 should generally be a safe and straightforward process. If encountering problems it is advised to check the official Karma changelog or release notes for detailed information on the changes incorporated in version 0.8.7.

Using Karma allows developers to automate their testing process, ensuring that code changes do not introduce regressions. Its ability to run tests in multiple browsers environments simultaneously provides comprehensive test coverage.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

karma

0.8.7

Comparision Betweeen 0.8.7 and 0.8.6

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.8.7 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.8.7 of the package karma.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.8.7 of the package

Summary:

Cross-site Scripting in karma

Details:

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

Details about karma@0.8.7

Summary:

Open redirect in karma

Details:

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Details about karma@0.8.7

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.2.11

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Details about lodash@1.1.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@1.1.1

Summary:

Incorrect Default Permissions in log4js

Details:

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by:

https://github.com/log4js-node/log4js-node/pull/1141
https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at gareth.nomiddlename@gmail.com

Details about log4js@0.6.38

Summary:

semver vulnerable to Regular Expression Denial of Service

Details:

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Details about semver@4.3.6

Summary:

Prototype Pollution in handlebars

Details:

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Recommendation

For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later.

Details about handlebars@1.0.12

Summary:

Arbitrary Code Execution in handlebars

Details:

Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:

	{{#with split as |a|}}
		{{pop (push "alert('Vulnerable Handlebars JS');")}}
		{{#with (concat (lookup join (slice 0 1)))}}
			{{#each (slice 2 3)}}
				{{#with (apply 0 a)}}
					{{.}}
				{{/with}}
			{{/each}}
		{{/with}}
	{{/with}}
{{/with}}```


## Recommendation

Upgrade to version 3.0.8, 4.5.2 or later.

Details about handlebars@1.0.12

Summary:

Arbitrary Code Execution in Handlebars

Details:

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Details about handlebars@1.0.12

Summary:

Prototype Pollution in handlebars

Details:

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Details about handlebars@1.0.12

Summary:

Arbitrary Code Execution in handlebars

Details:

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Details about handlebars@1.0.12

Summary:

Prototype Pollution in handlebars

Details:

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

Details about handlebars@1.0.12

Summary:

Cross-Site Scripting in handlebars

Details:

Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.

Proof of Concept

Template: <a href={{foo}}/>

Input: { 'foo' : 'test.com onload=alert(1)'}

Rendered result: <a href=test.com onload=alert(1)/>

Recommendation

Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.

Details about handlebars@1.0.12

Summary:

Prototype Pollution in handlebars

Details:

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Details about handlebars@1.0.12

Summary:

Remote code execution in handlebars when compiling templates

Details:

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Details about handlebars@1.0.12

Summary:

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Details:

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Details about uglify-js@2.3.6

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@2.3.6

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@0.2.14

Summary:

minimatch ReDoS vulnerability

Details:

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Details about minimatch@0.2.14

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.9.19

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.9.19

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.32

Summary:

DoS due to excessively large websocket message in ws

Details:

Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.32

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.32

Summary:

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Details:

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Details about xmlhttprequest@1.4.2

Summary:

Denial of Service in http-proxy

Details:

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Details about http-proxy@0.10.4

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.8.7 of the package karma.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.8.7 of the package

Summary:

Cross-site Scripting in karma

Details:

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

Details about karma@0.8.7

Summary:

Open redirect in karma

Details:

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Details about karma@0.8.7

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.2.11

Summary:

Prototype Pollution in lodash

Details:

Recommendation

Update to version 4.17.12 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Details about lodash@1.1.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@1.1.1

Summary:

Incorrect Default Permissions in log4js

Details:

Impact

Patches

Fixed by:

https://github.com/log4js-node/log4js-node/pull/1141
https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at gareth.nomiddlename@gmail.com

Details about log4js@0.6.38

Summary:

semver vulnerable to Regular Expression Denial of Service

Details:

Details about semver@4.3.6

Summary:

Prototype Pollution in handlebars

Details:

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Recommendation

For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later.

Details about handlebars@1.0.12

Summary:

Arbitrary Code Execution in handlebars

Details:

The following template can be used to demonstrate the vulnerability:

	{{#with split as |a|}}
		{{pop (push "alert('Vulnerable Handlebars JS');")}}
		{{#with (concat (lookup join (slice 0 1)))}}
			{{#each (slice 2 3)}}
				{{#with (apply 0 a)}}
					{{.}}
				{{/with}}
			{{/each}}
		{{/with}}
	{{/with}}
{{/with}}```


## Recommendation

Upgrade to version 3.0.8, 4.5.2 or later.

Details about handlebars@1.0.12

Summary:

Arbitrary Code Execution in Handlebars

Details:

Details about handlebars@1.0.12

Summary:

Prototype Pollution in handlebars

Details:

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Details about handlebars@1.0.12

Summary:

Arbitrary Code Execution in handlebars

Details:

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Details about handlebars@1.0.12

Summary:

Prototype Pollution in handlebars

Details:

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

Details about handlebars@1.0.12

Summary:

Cross-Site Scripting in handlebars

Details:

Versions of handlebars prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.

Proof of Concept

Template: <a href={{foo}}/>

Input: { 'foo' : 'test.com onload=alert(1)'}

Rendered result: <a href=test.com onload=alert(1)/>

Recommendation

Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.

Details about handlebars@1.0.12

Summary:

Prototype Pollution in handlebars

Details:

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Details about handlebars@1.0.12

Summary:

Remote code execution in handlebars when compiling templates

Details:

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Details about handlebars@1.0.12

Summary:

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Details:

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Details about uglify-js@2.3.6

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@2.3.6

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@0.2.14

Summary:

minimatch ReDoS vulnerability

Details:

Details about minimatch@0.2.14

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.9.19

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.9.19

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.32

Summary:

DoS due to excessively large websocket message in ws

Details:

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.32

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.32

Summary:

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Details:

Details about xmlhttprequest@1.4.2

Summary:

Denial of Service in http-proxy

Details:

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Details about http-proxy@0.10.4

Version Details and Security Vulnerabilities

karma

Comparision Betweeen 0.8.7 and 0.8.6

Version 0.8.7 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

karma

Comparision Betweeen 0.8.7 and 0.8.6

Version 0.8.7 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

karma@0.8.7 GHSA-7x7c-qm48-pq9c 6.1

karma@0.8.7 GHSA-rc3x-jf5g-xvc5 5.4

mime@1.2.11 GHSA-wrvr-8mpx-r7pp 7.5

Recommendation

lodash@1.1.1 GHSA-jf85-cpcp-j695 9.1

Recommendation

lodash@1.1.1 GHSA-fvqr-27wr-82fm 6.5

Recommendation

lodash@1.1.1 GHSA-4xc9-xhrj-v574 N/A

Recommendation

lodash@1.1.1 GHSA-x5rq-j2xg-h7qm N/A

lodash@1.1.1 GHSA-29mw-wpgm-hmr9 5.3

lodash@1.1.1 GHSA-35jh-r3h4-6jhm 7.2

log4js@0.6.38 GHSA-82v2-mx6x-wq7q 5.5

Impact

Patches

Workarounds

References

For more information

semver@4.3.6 GHSA-c2qf-rxjj-qqgw 7.5

handlebars@1.0.12 GHSA-q42p-pg8m-cqh6 7.3

Recommendation

handlebars@1.0.12 GHSA-2cf5-4w76-r9qv 7.3

handlebars@1.0.12 GHSA-3cqr-58rm-57f8 8.1

handlebars@1.0.12 GHSA-g9r4-xpmj-mj65 N/A

Recommendation

handlebars@1.0.12 GHSA-q2c6-c6pm-g3gh N/A

Recommendation

handlebars@1.0.12 GHSA-w457-6q6x-cgp9 9.8

Recommendation

handlebars@1.0.12 GHSA-9prh-257w-9277 6.1

Proof of Concept

Recommendation

handlebars@1.0.12 GHSA-765h-qjxv-5f44 9.8

handlebars@1.0.12 GHSA-f2jv-r9rf-7988 9.8

uglify-js@2.3.6 GHSA-34r7-q49f-h37c 9.8

Recommendation

uglify-js@2.3.6 GHSA-c9f4-xj24-8jqx 7.5

Proof of Concept

Results

Recommendation

minimatch@0.2.14 GHSA-hxm2-r34f-qmc5 7.5

Proof of Concept

Recommendation

minimatch@0.2.14 GHSA-f8q6-p94x-37v3 7.5

socket.io@0.9.19 GHSA-fxwf-4rqh-v8g3 4.3

socket.io@0.9.19 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

ws@0.4.32 GHSA-2mhh-w6q8-5hxw N/A

Proof of Concept

Recommendation

ws@0.4.32 GHSA-6663-c963-2gqg N/A

Recommendation

ws@0.4.32 GHSA-5v72-xg48-5rpm 7.5

Proof of concept

Recommendation

xmlhttprequest@1.4.2 GHSA-h4j5-c7cj-74xg 9.8

http-proxy@0.10.4 GHSA-6x33-pw7p-hmpq 7.5

Recommendation

Security Details