HackMD - Collaborative Markdown Knowledge Base

Security Alert: [low] [braces] Type: Regular Expression Denial of Service Advisory Version: <2.3.1 Current version: 0.1.5 Recommendation: Upgrade to version 2.3.1 or higher. Url: https://npmjs.com/advisories/786 Detail: Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Security Alert: [high] [cached-path-relative] Type: Prototype Pollution Advisory Version: <=1.0.1 Current version: 1.0.1 Recommendation: Update to version 1.0.2 or later. Url: https://npmjs.com/advisories/739 Detail: Version of `cached-path-relative` before 1.0.2 are vulnerable to prototype pollution. Security Alert: [moderate] [concat-stream] Type: Memory Exposure Advisory Version: >=1.3.0 <1.3.2 || >=1.4.0 <1.4.11 || >=1.5.0 <1.5.2 Current version: 1.5.0 Recommendation: Update to version 1.5.2, 1.4.11, 1.3.2 or later. If you are unable to update make sure user provided input into the `write()` function is not a number. Url: https://npmjs.com/advisories/597 Detail: Versions of `concat-stream` before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into `write()` Versions <1.3.0 are not affected due to not using unguarded Buffer constructor. Security Alert: [low] [debug] Type: Regular Expression Denial of Service Advisory Version: <= 2.6.8 || >= 3.0.0 <= 3.0.1 Current version: 0.7.4 Recommendation: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later. Url: https://npmjs.com/advisories/534 Detail: Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue. Security Alert: [low] [deep-extend] Type: Prototype Pollution Advisory Version: <=0.5.0 Current version: 0.4.2 Recommendation: Update to version 0.5.1 or later. Url: https://npmjs.com/advisories/612 Detail: Versions of `deep-extend` before 0.5.1 are vulnerable to prototype pollution. Security Alert: [high] [fstream] Type: Arbitrary File Overwrite Advisory Version: <1.0.12 Current version: 1.0.11 Recommendation: Upgrade to version 1.0.12 or later. Url: https://npmjs.com/advisories/886 Detail: Versions of `fstream` prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the co ntents of the extracted file. The `fstream.DirWriter()` function is vulnerable. Security Alert: [critical] [growl] Type: Command Injection Advisory Version: <1.10.2 Current version: 1.9.2 Recommendation: Update to version 1.10.2 or later. Url: https://npmjs.com/advisories/146 Detail: Affected versions of `growl` do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution. Security Alert: [moderate] [hoek] Type: Prototype Pollution Advisory Version: <= 4.2.0 || >= 5.0.0 < 5.0.3 Current version: 2.16.3 Recommendation: Update to version 4.2.1, 5.0.3 or later. Url: https://npmjs.com/advisories/566 Detail: Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing th e `__proto__` property. This can be demonstrated like so: ```javascript var Hoek = require('hoek'); var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; console.log("Before : " + a.oops); Hoek.merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ``` This type of attack can be used to overwrite existing properties causing a potential denial of service. Security Alert: [high] [js-yaml] Type: Code Injection Advisory Version: <3.13.1 Current version: 3.8.4 Recommendation: Upgrade to version 3.13.1. Url: https://npmjs.com/advisories/813 Detail: Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit m apping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected. An example payload is `{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1` which returns the object { "1553107949161": 1 } Security Alert: [moderate] [js-yaml] Type: Denial of Service Advisory Version: <3.13.0 Current version: 3.8.4 Recommendation: Upgrade to version 3.13.0. Url: https://npmjs.com/advisories/788 Detail: Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Security Alert: [moderate] [lodash] Type: Prototype Pollution Advisory Version: <4.17.11 Current version: 3.10.1 Recommendation: Update to version 4.17.11 or later. Url: https://npmjs.com/advisories/782 Detail: Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. Security Alert: [low] [lodash] Type: Prototype Pollution Advisory Version: <4.17.5 Current version: 3.10.1 Recommendation: Update to version 4.17.5 or later. Url: https://npmjs.com/advisories/577 Detail: Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. Security Alert: [moderate] [mime] Type: Regular Expression Denial of Service Advisory Version: < 1.4.1 || > 2.0.0 < 2.0.3 Current version: 1.3.6 Recommendation: Update to version 2.0.3 or later. Url: https://npmjs.com/advisories/535 Detail: Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Security Alert: [high] [parsejson] Type: Regular Expression Denial of Service Advisory Version: <=0.0.3 Current version: 0.0.3 Recommendation: The `parsejson` package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in Node.js, and therefore the native `JSON.parse()` should be used, for both performance and security reasons. Url: https://npmjs.com/advisories/528 Detail: Affected versions of `parsejson` are vulnerable to a regular expression denial of service when parsing untrusted user input. Security Alert: [low] [randomatic] Type: Cryptographically Weak PRNG Advisory Version: <3.0.0 Current version: 1.1.6 Recommendation: Update to version 3.0.0 or later. Url: https://npmjs.com/advisories/157 Detail: Affected versions of `randomatic` generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended. Security Alert: [high] [sshpk] Type: Regular Expression Denial of Service Advisory Version: <1.13.2 || >=1.14.0 <1.14.1 Current version: 1.13.0 Recommendation: Update to version 1.13.2, 1.14.1 or later. Url: https://npmjs.com/advisories/606 Detail: Versions of `sshpk` before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys. Security Alert: [moderate] [static-eval] Type: Sandbox Breakout / Arbitrary Code Execution Advisory Version: <=2.0.1 Current version: 0.2.4 Recommendation: Upgrade to version 2.0.2 or later. Url: https://npmjs.com/advisories/758 Detail: Versions of `static-eval`prior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ``` var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = process.argv[2]; var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()' var ast = parse(payload).body[0].expression; console.log(evaluate(ast, {x:1})); ``` Security Alert: [moderate] [static-eval] Type: Sandbox Breakout / Arbitrary Code Execution Advisory Version: <=1.1.1 Current version: 0.2.4 Recommendation: Update to version 2.0.0 or later. Url: https://npmjs.com/advisories/548 Detail: Affected versions of `static-eval` pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ``` var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id ``` Security Alert: [moderate] [stringstream] Type: Out-of-bounds Read Advisory Version: <=0.0.5 Current version: 0.0.5 Recommendation: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module if user input is being passed in to `stringstream`. Url: https://npmjs.com/advisories/664 Detail: All versions of `stringstream` are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below. Security Alert: [high] [tar] Type: Arbitrary File Overwrite Advisory Version: <2.2.2 || >=3.0.0 <4.4.2 Current version: 2.2.1 Recommendation: For tar 4.x, upgrade to version 4.4.2 or later. For tar 2.x, upgrade to version 2.2.2 or later. Url: https://npmjs.com/advisories/803 Detail: Versions of `tar` prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the sys tem's file with the contents of the extracted file. Security Alert: [high] [tough-cookie] Type: Regular Expression Denial of Service Advisory Version: <2.3.3 Current version: 2.3.2 Recommendation: Update to version 2.3.3 or later. Url: https://npmjs.com/advisories/525 Detail: Affected versions of `tough-cookie` are susceptible to a regular expression denial of service. The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length. If node was compiled using the `-DHTTP_MAX_HEADER_SIZE` however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node. Security Alert: [moderate] [tunnel-agent] Type: Memory Exposure Advisory Version: <0.6.0 Current version: 0.4.3 Recommendation: Update to version 0.6.0 or later. Url: https://npmjs.com/advisories/598 Detail: Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: ```js require('request')({ method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy:{ protocol: 'http:', host:'127.0.0.1', port:8080, auth:USERSUPPLIEDINPUT // number } }); ``` Security Alert: [high] [ws] Type: Denial of Service Advisory Version: <1.1.5 || >=2.0.0 <3.3.1 Current version: 1.1.2 Recommendation: Update to version 3.3.1 or later. Url: https://npmjs.com/advisories/550 Detail: Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r\n' ].join('\r\n'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` Security Alert: [high] [handlebars] Type: Prototype Pollution Advisory Version: <=4.0.13 || >=4.1.0 <4.1.2 Current version: 4.0.11 Recommendation: For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later. Url: https://npmjs.com/advisories/755 Detail: Versions of `handlebars` prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Security Alert: [high] [cryptiles] Type: Insufficient Entropy Advisory Version: >=3.1.0 <3.1.3 || >=4.0.0 <4.1.2 Current version: 3.1.2 Recommendation: Update to version 3.1.3 or 4.1.2 or later. Url: https://npmjs.com/advisories/720 Detail: Versions of `cryptiles` from version 3.1.0 through 3.1.2, and versions 4.0.0 to version 4.1.1 are vulnerable to insufficient entropy. The `randomDigits` method generates digits that lack a perfect distribution over enough attempts. Security Alert: [low] [merge] Type: Prototype Pollution Advisory Version: <=1.2.0 Current version: 1.2.0 Recommendation: Update to version 1.2.1 or later. Url: https://npmjs.com/advisories/722 Detail: Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype.