GHSA-6x33-pw7p-hmpq

Опубликовано: 04 сент. 2020

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Denial of Service in http-proxy

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

Recommendation

Upgrade to version 1.18.1 or later

Ссылки

https://github.com/http-party/node-http-proxy/pull/1447/commits/4718119ffbe895aecd9be0d6430357d44b4c7fd3
https://github.com/http-party/node-http-proxy/pull/1447/files
https://www.npmjs.com/advisories/1486

Пакеты

Наименование

http-proxy

npm

Затронутые версииВерсия исправления

< 1.18.1

1.18.1

7.5 High

CVSS3

Дефекты

CWE-184

CWE-693

7.5 High

CVSS3

Дефекты

CWE-184

CWE-693