WS-2018-0111 (High) detected in base64-url-1.2.1.tgz
Closed this issue · 0 comments
mend-for-github-com commented
WS-2018-0111 - High Severity Vulnerability
Vulnerable Library - base64-url-1.2.1.tgz
Base64 encode, decode, escape and unescape for URL applications
Library home page: https://registry.npmjs.org/base64-url/-/base64-url-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/cla-bot/package.json
Path to vulnerable library: /tmp/ws-scm/cla-bot/node_modules/base64-url/package.json
Dependency Hierarchy:
- express-3.20.3.tgz (Root Library)
- connect-2.29.2.tgz
- csurf-1.7.0.tgz
- csrf-2.0.7.tgz
- ❌ base64-url-1.2.1.tgz (Vulnerable Library)
- csrf-2.0.7.tgz
- csurf-1.7.0.tgz
- connect-2.29.2.tgz
Found in HEAD commit: 728af6547d8b346b13cb8e7fe8c30e8a0df3cbeb
Vulnerability Details
Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input.
Publish Date: 2018-05-16
URL: WS-2018-0111
CVSS 2 Score Details (8.6)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/660
Release Date: 2018-01-27
Fix Resolution: 2.0.0