Version Details and Security Vulnerabilities

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.

Recommendation

If using ecstatic 4.x, upgrade to 4.1.2 or later. If using ecstatic 3.x, upgrade to 3.3.2 or later. If using ecstatic 2.x, upgrade to 2.2.2 or later.

ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.

ecstatic, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (%00) is provided by an attacker it can crash ecstatic by running it out of memory.

Results from the original advisory

A payload of 22kB caused a lag of 1 second,
A payload of 35kB caused a lag of 3 seconds,
A payload of 86kB caused the server to crash

Recommendation

Update to version 2.0.0 or later.

Versions of ecstatic prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the Last-Modified or If-Modified-Since headers.

Parsing certain inputs with new Date() or Date.parse() cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash.

Recommendation

Update to version 1.4.0 or later.

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Affected versions of shell-quote do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments.

Proof of Concept:

The following characters are not escaped properly: >,;,{,}

Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of {} and using the , instead of to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible.

   const quote = require('shell-quote').quote;
   console.log(quote(['a;{echo,test,123,234}']));
   // Actual                    "a;{echo,test,123,234}"
   // Expected                  "a\;\{echo,test,123,234\}"
   // Functional Equivalent     "a; echo 'test' '123' '1234'"

Recommendation

Update to version 1.6.1 or later.

All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Recommendation

Update to version 1.2.1 or later.

Prototype pollution vulnerability via .parse() in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.