Tunnel-agent is a standalone Node.js module designed to facilitate HTTP proxy tunneling. Originally extracted from the popular 'request' library, it provides a clean and efficient way to establish connections through HTTP proxies. Version 0.4.3 was released on May 4, 2016, succeeding version 0.4.2, which was released on December 8, 2015.
While the core functionality remains consistent between the two versions, developers should note the release date difference as it may indicate bug fixes, performance improvements, or dependency updates incorporated in the newer version. Although the provided data doesn't explicitly detail the specific changes, the seven-month gap suggests potential enhancements.
For developers integrating tunnel-agent into their projects, this module simplifies the complexities of proxy configurations, allowing easy creation of tunnels for HTTP and HTTPS requests. Using tunnel-agent allows applications to route traffic through intermediary proxy servers, which can be particularly useful in scenarios that necessitate anonymity, bypassing network restrictions, or accessing resources behind firewalls. The Apache-2.0 license offers flexibility and reduces usage barriers. Developers needing to establish reliable and well-supported proxy connections in their Node.js applications will find tunnel-agent a valuable asset. It's necessary to check the project's repository or changelog for specific details between the two versions.
All the vulnerabilities related to the version 0.4.3 of the package
Memory Exposure in tunnel-agent
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.
This is exploitable if user supplied input is provided to the auth value and is a number.
Proof-of-concept:
require('request')({
method: 'GET',
uri: 'http://www.example.com',
tunnel: true,
proxy:{
protocol: 'http:',
host:'127.0.0.1',
port:8080,
auth:USERSUPPLIEDINPUT // number
}
});
Update to version 0.6.0 or later.