ghsa-27wq-qx3q-fxm9
Vulnerability from github
Published
2021-08-23 19:42
Modified
2021-10-21 14:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Improper Handling of Unexpected Data Type in ced
Details

Impact

In ced v0.1.0, passing data types other than Buffer causes the Node.js process to crash.

Patches

The problem has been patched in ced v1.0.0. You can upgrade from v0.1.0 without any breaking changes.

Workarounds

Before passing an argument to ced, verify it’s a Buffer using Buffer.isBuffer(obj).

CVSS score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C

Base Score: 7.5 (High) Temporal Score: 7.2 (High)

Since ced is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerability’s severity in your program may be different.

Proof of concept

```js const express = require("express"); const bodyParser = require("body-parser"); const ced = require("ced");

const app = express();

app.use(bodyParser.raw());

app.post("/", (req, res) => { const encoding = ced(req.body);

res.end(encoding); });

app.listen(3000); ```

curl --request POST --header "Content-Type: text/plain" --data foo http://localhost:3000 crashes the server.

References

  • https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ced"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-241"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T17:18:32Z",
    "nvd_published_at": "2021-08-17T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn ced v0.1.0, passing data types other than `Buffer` causes the Node.js process to crash.\n\n### Patches\n\nThe problem has been patched in [ced v1.0.0](https://github.com/sonicdoe/ced/releases/tag/v1.0.0). You can upgrade from v0.1.0 without any breaking changes.\n\n### Workarounds\n\nBefore passing an argument to ced, verify it\u2019s a `Buffer` using [`Buffer.isBuffer(obj)`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_isbuffer_obj).\n\n### CVSS score\n\n[CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C)\n\nBase Score: 7.5 (High)\nTemporal Score: 7.2 (High)\n\nSince ced is a library, the scoring is based on the \u201c[reasonable worst-case implementation scenario](https://www.first.org/cvss/v3.1/user-guide#3-7-Scoring-Vulnerabilities-in-Software-Libraries-and-Similar)\u201d, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerability\u2019s severity in your program may be different.\n\n### Proof of concept\n\n```js\nconst express = require(\"express\");\nconst bodyParser = require(\"body-parser\");\nconst ced = require(\"ced\");\n\nconst app = express();\n\napp.use(bodyParser.raw());\n\napp.post(\"/\", (req, res) =\u003e {\n  const encoding = ced(req.body);\n\n  res.end(encoding);\n});\n\napp.listen(3000);\n```\n\n`curl --request POST --header \"Content-Type: text/plain\" --data foo http://localhost:3000` crashes the server.\n\n### References\n\n- https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3",
  "id": "GHSA-27wq-qx3q-fxm9",
  "modified": "2021-10-21T14:15:51Z",
  "published": "2021-08-23T19:42:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sonicdoe/ced/security/advisories/GHSA-27wq-qx3q-fxm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39131"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sonicdoe/ced"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sonicdoe/ced/releases/tag/v1.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Handling of Unexpected Data Type in ced"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.