WS-2018-0085 (High) detected in http-proxy-agent-1.0.0.tgz

Question

WS-2018-0085 (High) detected in http-proxy-agent-1.0.0.tgz

mend-bolt-for-github opened this issue 5 years ago · 0 comments

mend-bolt-for-github commented 5 years ago

WS-2018-0085 - High Severity Vulnerability

Vulnerable Library - http-proxy-agent-1.0.0.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTP

Library home page: https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-1.0.0.tgz

Path to dependency file: /tmp/ws-scm/gulp-fontiran/package.json

Path to vulnerable library: /tmp/ws-scm/gulp-fontiran/node_modules/http-proxy-agent/package.json

Dependency Hierarchy:

typings-2.1.1.tgz (Root Library)
- typings-core-2.3.3.tgz
  - popsicle-proxy-agent-3.0.0.tgz
    - ❌ http-proxy-agent-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: c05e05e14b3eedeed5a142729f2bcc89c44438f4

Vulnerability Details

Versions of http-proxy-agent before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer.

Publish Date: 2018-04-25

URL: WS-2018-0085

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/607

Release Date: 2018-01-27

Fix Resolution: 2.1.0

Step up your Open Source Security Game with WhiteSource here