vulnerabilities in npm dependencies

ugh, npm.

There are 68 npm security advisories affecting our repositories.

#146: growl (CVE-2017-16042)

Severity: critical

Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.

Affected repositories (1)

#755: handlebars

Severity: critical

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Affected repositories (1)

#1012: set-value (CVE-2019-10747)

Severity: high

Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Affected repositories (1)

#1013: mixin-deep (CVE-2019-10746)

Severity: high

Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Affected repositories (1)

#1065: lodash (CVE-2019-10744)

Severity: high

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Affected repositories (50)

#1164: handlebars (CVE-2019-19919)

Severity: high

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Affected repositories (1)

#1171: csv-parse (CVE-2019-17592)

Severity: high

Versions of csv-parse prior to 4.4.6 are vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large specially-crafted input very slowly, leading to a Denial of Service. This is triggered when using the cast option.

Affected repositories (1)

#118: minimatch (CVE-2016-10540)

Severity: high

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

``` var minimatch = require(โ€œminimatchโ€);

// utility function for generating long strings var genstr = function (len, chr) { var result = โ€œโ€; for (i=0; i<=len; i++) { result = result + chr; } return result; }

var exploit = โ€œ[!โ€ + genstr(1000000, โ€œ\โ€) + โ€œAโ€;

// minimatch exploit. console.log(โ€œstarting minimatchโ€); minimatch(โ€œfooโ€, exploit); console.log(โ€œfinishing minimatchโ€); ```

Affected repositories (43)

#1217: decompress

Severity: high

Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../.

Affected repositories (1)

#1316: handlebars

Severity: high

Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:
{{#with "constructor"}} {{#with split as |a|}} {{pop (push "alert('Vulnerable Handlebars JS');")}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 a)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}}

Affected repositories (1)

#1324: handlebars

Severity: high

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

Affected repositories (1)

#1325: handlebars

Severity: high

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.

Affected repositories (1)

#1464: cryptiles (CVE-2018-1000620)

Severity: high

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Affected repositories (4)

#1469: qs (CVE-2017-1000048)

Severity: high

Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.

Affected repositories (3)

#1547: elliptic (CVE-2020-13822)

Severity: high

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Affected repositories (1)

#1548: serialize-javascript

Severity: high

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.

The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

Affected repositories (1)

#1550: url-regex

Severity: high

All versions of url-regex are vulnerable to a Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.

Affected repositories (1)

#1555: bl

Severity: high

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 <2.2.1 and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Affected repositories (1)

#1594: axios (CVE-2020-28168)

Severity: high

The axios NPM package before 0.21.1 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Affected repositories (2)

#1631: diff

Severity: high

Affected versions of diff are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 10 seconds matching time for data 48K characters long.

Affected repositories (2)

#28: qs (CVE-2014-10064)

Severity: high

Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.

Affected repositories (1)

#29: qs (CVE-2014-7191)

Severity: high

Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.

Affected repositories (1)

#328: jquery (CVE-2017-16012)

Severity: high

Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option.

Affected repositories (1)

#525: tough-cookie (CVE-2017-15010)

Severity: high

Affected versions of tough-cookie are susceptible to a regular expression denial of service.

The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

Affected repositories (2)

#528: parsejson (CVE-2017-16113)

Severity: high

Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input.

Affected repositories (1)

#550: ws

Severity: high

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.

Proof of concept

``` const WebSocket = require('ws'); const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor'

const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', Sec-WebSocket-Extensions: ${payload}, 'Upgrade: websocket', '\r\n' ].join('\r\n');

const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ```

Affected repositories (1)

#606: sshpk (CVE-2018-3737)

Severity: high

Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Affected repositories (1)

#681: adm-zip (CVE-2018-1002204)

Severity: high

Versions of adm-zip before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames (../../file.txt for example).

Affected repositories (1)

#720: cryptiles (CVE-2018-1000620)

Severity: high

Versions of cryptiles from version 3.1.0 through 3.1.2, and versions 4.0.0 to version 4.1.1 are vulnerable to insufficient entropy. The randomDigits method generates digits that lack a perfect distribution over enough attempts.

Affected repositories (1)

#782: lodash (CVE-2018-16487)

Severity: high

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Affected repositories (50)

#803: tar

Severity: high

Versions of tar prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Affected repositories (1)

#813: js-yaml

Severity: high

Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

An example payload is { toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1 which returns the object { "1553107949161": 1 }

Affected repositories (26)

#886: fstream (CVE-2019-13173)

Severity: high

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Affected repositories (1)

#994: adm-zip (CVE-2018-1002204)

Severity: high

Versions of adm-zip before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames (../../file.txt for example).

Affected repositories (1)

#1300: handlebars

Severity: moderate

Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.

Affected repositories (1)

#1426: serialize-javascript (CVE-2019-16769)

Severity: moderate

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Affected repositories (1)

#1488: acorn

Severity: moderate

Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

Affected repositories (1)

#1518: jquery (CVE-2020-11022)

Severity: moderate

Versions of jquery prior to 3.5.0 are vulnerable to Cross-Site Scripting. Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute arbitrary JavaScript in a victim's browser.

Affected repositories (2)

#1609: socket.io (CVE-2020-28481)

Severity: moderate

Affected versions of socket.io are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Affected repositories (2)

#1633: nwmatcher

Severity: moderate

Affected versions of nwmatcher are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 10 seconds matching time for data 2k characters long.

Affected repositories (1)

#1638: prismjs (CVE-2021-23341)

Severity: moderate

prismjs versions before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Affected repositories (1)

#535: mime (CVE-2017-16138)

Severity: moderate

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Affected repositories (1)

#566: hoek (CVE-2018-3728)

Severity: moderate

Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.

The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.

This can be demonstrated like so:

```javascript var Hoek = require('hoek'); var malicious_payload = '{"proto":{"oops":"It works !"}}';

var a = {}; console.log("Before : " + a.oops); Hoek.merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ```

This type of attack can be used to overwrite existing properties causing a potential denial of service.

Affected repositories (3)

#598: tunnel-agent

Severity: moderate

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Proof-of-concept: js require('request')({ method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy:{ protocol: 'http:', host:'127.0.0.1', port:8080, auth:USERSUPPLIEDINPUT // number } });

Affected repositories (2)

#646: atob

Severity: moderate

Versions of atob before 2.1.0 uninitialized Buffers when number is passed in input on Node.js 4.x and below.

Affected repositories (1)

#664: stringstream

Severity: moderate

All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.

Affected repositories (2)

#745: underscore.string

Severity: moderate

Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.

Affected repositories (4)

#780: just-extend (CVE-2018-16489)

Severity: moderate

Versions of just-extend before 4.0.0 are vulnerable to prototype pollution. Provided certain input just-extend can add or modify properties of the Object prototype. These properties will be present on all objects.

Affected repositories (1)

#788: js-yaml

Severity: moderate

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Affected repositories (26)

#796: jquery (CVE-2019-5428)

Severity: moderate

Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for Object causing changes in properties that will exist on all objects.

Affected repositories (2)

#812: marked

Severity: moderate

Versions of marked prior to 0.6.2 and later than 0.3.14 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Affected repositories (1)

#880: axios

Severity: moderate

Versions of axios prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the maxContentLength property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service.

Affected repositories (2)

#996: extend

Severity: moderate

Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

Affected repositories (2)

#1084: mem

Severity: low

Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.

Affected repositories (1)

#1179: minimist

Severity: low

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Affected repositories (6)

#1490: kind-of

Severity: low

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Affected repositories (1)

#1500: yargs-parser

Severity: low

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Affected repositories (1)

#1523: lodash (CVE-2019-10744)

Severity: low

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Affected repositories (50)

#1556: node-fetch (CVE-2020-15168)

Severity: low

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Affected repositories (1)

#157: randomatic (CVE-2017-16028)

Severity: low

Affected versions of randomatic generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended.

Affected repositories (1)

#1589: ini

Severity: low

ini before version 1.3.6 has a Prototype Pollution vulnerability.

Impact

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini [__proto__] polluted = "polluted"

poc.js: ``` var fs = require('fs') var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.proto) console.log(polluted) ```

```

node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted

```

Affected repositories (2)

#533: timespan (CVE-2017-16115)

Severity: low

Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.

The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.

Affected repositories (1)

#534: debug (CVE-2017-16137)

Severity: low

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

Affected repositories (5)

#577: lodash (CVE-2018-3721)

Severity: low

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Affected repositories (50)

#612: deep-extend

Severity: low

Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution.

Affected repositories (1)

#786: braces

Severity: low

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Affected repositories (115)

#95: cli (CVE-2016-10538)

Severity: low

Affected versions of cli use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the cli process has permission to write to.

Proof of Concept

By creating Symbolic Links at the following locations, the target of the link can be written to. lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log';

Affected repositories (33)

#961: node-sass

Severity: low

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.

Affected repositories (1)
Source code is licensed under the AGPL.