Описание
Missing Release of Memory after Effective Lifetime in detect-character-encoding
Impact
In detect-character-encoding v0.3.0 and earlier, allocated memory is not released.
Patches
The problem has been patched in detect-character-encoding v0.3.1.
CVSS score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C
Base Score: 7.5 (High) Temporal Score: 7.2 (High)
Since detect-character-encoding is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, using detect-character-encoding in a program accessible over the internet which becomes unavailable when running out of memory. Depending on your specific implementation, the vulnerability’s severity in your program may be different.
Proof of concept
hey -n 1000000 http://localhost:3000 (hey) causes the Node.js process to consume more and more memory.
References
Ссылки
- https://github.com/sonicdoe/detect-character-encoding/security/advisories/GHSA-5rwj-j5m3-3chj
- https://nvd.nist.gov/vuln/detail/CVE-2021-39176
- https://github.com/sonicdoe/detect-character-encoding/pull/6
- https://github.com/sonicdoe/detect-character-encoding/commit/d44356927b92e3b13e178071bf6d7c671766f588
- https://github.com/sonicdoe/detect-character-encoding/releases/tag/v0.3.1
Пакеты
detect-character-encoding
< 0.3.1
0.3.1
Связанные уязвимости
detect-character-encoding is a package for detecting character encoding using ICU. In detect-character-encoding v0.3.0 and earlier, allocated memory is not released. The problem has been patched in detect-character-encoding v0.3.1.